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(57) An email j access control scheme capable of 
resolving problems of the real email address and ena- 
bling a unique identification of the identity of the user 
while concealing the user identification is disclosed. A 
personalized access ticfcet containing a sender^s identi- 
fication and a recipient's identification^ in cqr^^^ 
ehce isto be presented by a sender who vwshes to send 
an email to a recipient so' as to spe^fy thfe re^^^ 
an intended destination of the email. Theny accesses 
between the sender, and the recipient, by verifying an 
access right of the sender with respect to the recipient 



according to the personalized access ticket at a secure 
communication service. Also, an official identification of 
each user by which each user is uniquely identif iat^le by 
a certification authority, and an anonymous identifica- 
tion of each user containing at least one fragment of the 
off iciaJ. identification are defined, and each user is-iden-, 
tified by the anonymous identification of each user in 
communications. for emails on a oornmunication net- 
work. 



USBR-A 3 



CM 
< 

CM 
CM 
O 

(£> 

o> 

O 
Q. 

m 



BNSDOCID: <EP 0&46022A2J_> 




AID ISSUANCE 



VA|^ PERIOD 

Mr 




ss 


ro: p at'^ai 

REPLY MES 


3aj I AIDbi> 
&AOE TEXT 



1^ 



Primed by Xerox (UK) Business Services 
2.16.7/3.6 



1 



EPp 94q p22 A2 , 



2 



Description 



BACKGROUND bF THE INVENTION 
RELb'OF THE I^JVENYION;' ' \ 
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[OOOI J The' present irwerrtiop. relates 4b. an jecnai] ,1', 
access control scheme for contrblljng ^nsmls'sipip aqd 
reception d^'erriaHs by 66r^^ acc^& W 
nications from other lis^rs'whc&e ide 
communication netwbl^ are cdn^aled^ 
an identification'' of a ^redplem on'the'cdmiiiuri^ 
network'----'*'^'^^ ' *^ '''' — ^ 
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DESCRIPtfON OF THE BACKGROUnB^ Aftr " ^ ' 

[0002]- • In conjunction with tte^spread of thelrternet/; ' 
the SPAM andlhe harai^sment u^^ 
cally increasing. "TOe^^^S is a generic name for era 
or news that are unilaterally sert withci 
tion to tfie redpientW^ time' 6onsurtpfon/'^^e^^ 
and mental burdens. The SPAM using emails are aiso " 
known as USE (Unsolicited Bulk Emails) or UCE (Unsp;".. 
licited Cdmmercial Emails).' ^ ' ' 
[0003] The* SPAM is sent irttiiscrinriihately regaridleiss^^ 
of the 'reldpient's age. sex [nterests, etc.. so that the 
SPAM ofteri contains an uninteresting^ of unpleasant/; 
content for the recipient Moreover, the time consunip- 
tion Ibad and the ecohomicai load rkjuir^'fdr receiving 
the SPAM is not so small. For tiie busilfiess use^^ 
SPAM^n cause the lowering of th|worWn^ effficfency 
as it beconies hard to find important mails that are bur- 
ied among the SPAm! ^so/Ws^ the SR^ to a 
huge number of users; the SpXm wa^e4 the network 
resources aiid in tiie worst case' tiie SPAM can caLjse 
the oVerioadinp. As a result, fribfe case be cases where 
mails' that are important for ttie user may be' lost, Also, 
the SPAM is sent either anonymously or by pretehdihg 
someone else so that there is a need to provide some, 
human resources to handle complaints. 
[0004] On the otiier hand, the harassment is an act for 
keep sending mails with unpleasant contents for the 
user continually on the purpose of causing mental 
agony or exerting economical and tinhe consumption 
burdens to the specific user. Sirhilarly as the SPAM, the 
harassment mails are sent by pretending an actual or 
virtual tiiird person, so that tiie identification of the 
sender is quite difficult. Also, there are cases where a 
large capacity mail is sent or a large amount of mails are 
sent in short period of time so that tiiere is a danger of 
causing the system breakdown. 
[0005] In order to deal with tiie SPAM and the harass- 
ment, the mail system is required to isatisfy the following 
requirements. 

Security 

It is necessary to detect tiie pretending by the 
sender and refuse the delivery from the pretending 
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sender. . 
Strength . 

;r< r!l;|s^/^.?9J?^''y^0''^ order 
tO:'Cjrcumven:^^ th%system^^ due to the 

iargq:gap^C*by^fnail, It is also necessary ..to limit tiie 
nun^ii^^of^jtfansnjis^^ in order io circurnvent the 
^ysterrubr^egWoy^ due to, the large arnount trans- 
mission... ..'.^ . . , . ,^ .... . , 

Cbmpatibiifty .^.^ . ^ - . . ^ 

It is nece^aQr.riQt..to j-eqi^r^^ 
Qhange tp^ tfte' irnpjementati^ pf ttjp' ■ ^j^^^ mail 

^4*^% .r^: vs--:: n'd^a:;* ; - 

_ ; ,. Jt Is peq^s^ajy .not to j^u|(^ ,a .ot^^ 

charige to the handling of the existing mail systerri. 

The MTA (message Transfer Agent) such as 
sendnnail.and^i^ forgepy c^f the enve- 

lope irift?'nfi.?rtipn in^^^^^^ irrfbrmatipn and 

refuses ^the d.^kery! .The.^f^^^ mail 
receiyirig froni.a rpail server. which is a source of the 
SPAM l?y referring to ^e so. called black list such is . 
M^f?S RBL TJi^ NfrA^ 

usirigr sonieDner, Else's real email address and ' 
refuses .the delivery by carrying out th^ signature 
Verification using F>GR SMME., TLJS, etc. The MTA 
aiso limits the'message length by partial deletipn pf 
^e. message text , , . - ' 

, , ; pne of the causes of the SFW^^a^^^ harass^: 
rhent is the jeaVemaiL address real, email 

addr^ is associated with' the following problems. .: 
User's identity can be guessed from real email 

address,;,,. ./ . . , . . , 

jhe/eal email address contains an infqrrnation 
usef ul in guessing the identity so that It can be used . 
in .selecting the harassment target, ' For example, ■ 
the place of .enr^loyrriem can be identified from the 
real domkin. Also, the name and tiie sex can be 
guessed from the user Tiarhe. - . 
Real email address can be guessed from user;s, 
identity;' . . ,^ , ^ .. . . ,: ^ • :, 

. The real email address has a. universal fbrmat 
of [user hanie]@[d6main name] so that, the reai 
email addjre^s^can be guessed if the user's identity 
is known, without an explicit knowledge of the real 
email, address itself. For example, if the user's real 
name is known, the candidates for the user narrie 
can be enumerated. Also, if the user's affiliation is 
known, the candidates for the domain name can be. 
enumerated. Even in the case where the user name 
is given by a character string which is totally unre- 
lated to the real name, if the naming -rule for the . 
user name is known, the user name can be 
guessed by trial and error transmissions. 
Real email address is transfen-able: 

The real email address can be transfen-ed from 
one person to another, so that mails can be trans- 
mitted even if the real email address is not taught by 
tiie holder himself. The ti-ansfer of real email 
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address through mails includes the following bases. 
By specifying the other's real email addre^jn the 
cc: line of the mail, that real email &ddres;s can be 
transferred to' all the recipients specffi^lrrttte^Tot 
line 6f the imafi: ^Also, by forwarflirtg^tft^^rtaiPtHdt 5 
contains thei real ^rnail addres^'W^He^rSSiSr^nt 
specified in the.To: line "in the rhessa^e''fex"t^to a 
third person, that real email address cari be^il'^ib^ 
ferred to the third person. ^ 'y^-^'^^' 

* .Rear^errialrackire&^^^^ . _ 10 

ft'ls diiffic^lt is c^*deT1li6''iiSi IrHafrVdfci^e^i 
because rf the real email address is cand^|^''if 
beconies inpossible to read not only the SF^^i^a^d 
the hariS4^rtle^lt^a^s biit also, thl'irS^briafi't rnails 
as welh ^"^'^ ; '-t:^-'^ is 

[0006] ' Cyphierj^unkTernaiiers ai^ 
ers which at e 'coiiectively knbwnlas* /^9hyHi<?u^^ remail- 
ers use a schelrie'for delivering miai?s»'ferfter ehcfypt^^^ 
the real entTail" address and tKe* r^l/ddftiain c?f the 20 
sender. This' scheme is^"iia1l©d th^/Veii^^ 
encryption khd decryjjtlon of the r6piy bibck asis irj>ub- 
lic key and a secret key of the Andnymbus reihikilfe^^ 
that it;is~difficult to identify the rieal^hiair address ^rid 
the rieal 'ddmain of the serider for any ijsiefe o%er "Ihain 2s 
the sender:*-' • '•'^^ ^ - - - 

[0007] The Anonymous remailers also nrak#'lt 'difficult' 
to transfer the real eniail addressbecause is drff ioult to 
identify the Vial email address. HoWev^K'Vhe reply bic&k 
is transfeFrable. so that reply m'dils can be returned to"; 30 
the sender from users otheSr than the recipient^'* *'^"' 
[0008] AS-Node and nym.alias.net which are collec- 
tively knowrras Pseudonymous sdn/ers use mail trans- 
mission and reception using ' a pseedonyrn^^ account 
uniquely cibrr'iesponciing to the reat^mail addreiss of the 3S 
user.' The jjseudonym account can be arbitrairiiy dreated' 
at the iis^r side so that the user c^n have a pseudonyrfi 
account from which the real email address is ii^rd to^ 
guess. In addition, by the use of the reply blocK it is afsd 
possible to conceal the real email address and the real 40 
domain 'of the user to the Pseudonymous server. By 
combining these means, it can be made difficult to idien- 
tify the real email address and the real domain of the. 
sender for any users other than the sender. Also, the 
pseudonym account is cancellable so that there is no 45 
need to cancel the real email address. 
[0009] The Pseudonymous servers also make it diffi- 
cult to traiisfe? the real email address because it is diffi- 
cult to identify the real email address. However, the 
pseudonym account is transferrable so that reply mails so 
can be returned to the sender from users other than the 
recipient. 

[0010] In addition, in order to protect a recipient from 
the SPAM and the harrassment. it is also necessary to 
reject a connection request from a sender who are exer- 55 
cising such action. For this reason, it is necessary for 
. the communication system to be capable of uniquely 
identifying the identity of the sender. 



[0011] In view of these factors, the communication 
system is required to, be capable. of uniquely, identifying 
the identity of the user while concealing lhe real erhail 
address of the user (that is white. gMarante^ing the ano-; _ 
nymity of the user), but in the conventional communica- 
tion system, it has been diff icultjo .meet both. of these, 
requ^i^rhenti !^^^^ .Z^' . ■ .... - .., 

[00l|;^Tj^ pfpier^^^ in the - 

jpail^s>55)i^iTl,Jt^^^^ that.us.er..is riec- . . 

essa^y!j.Qa j^^^ .femailers 
delivfr^^l^ir^^^ 

email aOTress of Ae^ sender in order to guarantee., the 
anonymity of the sender. In order to identify the identity 
pf the sender^^^c|^.g|is,c5^^^ neqie^sary to 

trace the delivery route of the maiT using the traffic anal- 
ysis. However. th^,,AnPnyfPtiys ^efJJ^gfs.rpay dejay the. 
mail d;^Iiv^5( pr tnterph^^^^ mails. 
Also.^Tj\eMi)^ . 
ing it IfSo plural blocks. For |hi^ reaspnV.it, is' difficult to r-. 
frace f he^^eHve^ . . 

fore the identification of the jdenft^^ . . 

difflCUft.. , , ;. ^ . . ^ .^^ ... . 

[0013J 'The Pseudonymous seryers„Jaiso *ytj 
Anonyrrpus remailers , for the ^rn^fd^ sb.that.it is 
pbssfeile to guararrtee the arioni^it^^ of the sendee but it> 
is alK>^ di1iicu.lt tQ_ uniqufTy ide^^ identityVpf the -i* 
sender j'^^' ^ , .r..- ... V.^V-- X: 

[0014]| ''6nfhe^b!rtier h^ Stgna- 
ture Law allows enSjy of a, pseudonym instead of a real 
ham^ jnto a digital generating the digital.: - 
signature'^ be,used in^commuhicatioh services. .The. . 
digit^' certrf rpaf^ is uniquf assigned to, the'^user so that 
the identity 6f the iiser'^can bl, uniquely i^^^ even it 
the pseuddriyrh is entered- Als©, tfie rigfti for naming the. . , 
pseudonym is giveri,to the user side^p that itjs possible , 
to enter'1he,p>seydpnym frofn v^fiich it js difficult to guess J 
the real namk , * '* . ^ ^ ' "... < . ^ ' - - 

SUMMARY OF THE^INVENTION ' .. ; 

[0015] It is therefore an' Object Of th'e present invention , \ 
to provide an email access control scherne In a commu- 
nication hetwprkwhich is.capable of resolving the above , 
described prbblems of the real email address which is. 
one of the causes pf the SPAM and tine harassment. 
[0016], It is another object of the present invention to 
provide an email access control scheme in a communi- 
cation network which is capable of enabling a unique 
identification of the identity bf the user while concealing 
the user identification. 

[0017] In order to resolve the prbblems associated 
with tiie transfer and the cancellation of the real email 
address, the present invention employs the email 
access control scheme using a personalized access 
ticket (PAT). In order to resolve the problem associated 
with the transfer of the real email address, the destina- 
tion is specified by tiie PAT which contains both the real 
email address of the sender and a real email address of 
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the recipient. Also, in order to resolve the problem asso- 
ciated' with the cancellation of the real email address, a . 
validity period is sef in theTAT by a Trusted Third P^rty,^ ' 
Then; the mail dellverV frbrh the sender who presented - 
the^PAT with the expired validity period Wiirbe refds^. ' ^ 5 
Also, instead of cancelling the f'eiai feiroH aa<3^^^ 
PAT is registered'at a secure' stoiagl l^ 
by a' secure CommuhicktioVi Service. 
[0010] ' in'bther word^ 

accesses in unlfeln which the r^^^ 10 
sender atid the re^f fem^il aldcfre^^bf^trtejr^pip^ 
paired. For this^ re|s6ii, , ^vepV wh^n iJHij^'j'^reai l^rha\\ 'J. 
address is transferred. is possible toy\^Jci It^^ceiyin^^,^ 
niails from' u^ers to, Which tfie re^ email' a^dt^^^ 
been transf^rred;^s long '^^^^ ^' 75 

these users." " ^ -^-^ • t - 

[001 9] Also, in the present irivehtion, itjs. possTblei to. . 
refuse receiNqn^ mails without cancellir^.the reaj emaiL..- 
address becdusici the irrai I delivery fr6rn .tfie!^rid who^ | 
presented frie PAT with the^ I20 
PAT thaii is registered in a database .by the/ecipi'ert willj 1 
be refused. 'J . \ . ^ , „ / , 1 
[0020] ' Also, iri 'the present invention, the,.rhaii receivV .i 
ing "can rj^sumed without re-acqliiring the real ..email -.j. 
addreis because the rnail receiving can .be resumed ,by '25 
delving . the PAT from thelabove described storage 

devia^. ' ' ' , , ^ ;/ , 

[0021] Also, jn the present iriverrtipn. the tirne con-/\ 
sun^on^'and etenprriicai jbads required fctr the mail 
receiyirig or downloading at the u^r.,5ide c^nVbe .30 
reduc^ because the transmissi^^^^^ iire refused 

at th'eVeryer side. ; \ ... - V " , -.^ ! 
[0022] ' In acWition.,tHe preserit i . 
email kccess doritrol scHem^'using^n official Tdentifica-.. 
tion (O ID) and an anonymous/ idWrfieation (AID) ^iri.v 35 
orderto make it possible to identify the iderrtity of,the \ : 
user while guarariteeing the .anonymity of the. user. 
[0023] Namely, in the present.irryentipri, a certificate in. 
which the personal information is sigried by a secret key * 
of the Trusted Third Party is assigned to each user in . . 40 
order to uniquely identify each user. This, certificate vwH 
be referrecf to as OlD.'Also, a certificate which contains . 
fragments of the OID ihforrhation is assigned to each 
user as a user iderrtifier on a communication network in 
order to make it possiljle to identrfy the identity while 45 
guaranteeing the anonymity of the user. This certificate 
will be referred to as AID. 

[0024] Also, in the present invention, the OID is recon- 
structed by judging the identity of a plurality of AIDs in 
order to identify the identity of the user. Also, the AID is . so 
contained in the PAT and the PAT is authenticated at a 
secure communication service (SCS) in order to resolve 
the problems associated with the transfer and the can- 
cellation of the AID. 

[0025] Also, in the present inv^ition, the AID is man- 55 
aged in a directory which is accessible for search by 
unspecified many and which outputs the PAT containing 
the AID as a destination, in order to meet the user side 



demand for being able to admit accesses from unspeci- 
fied many wrthput revealing the own identity. . , 
[0026} jn thi^^way. in the present invention, the identity 
of the user.'can b^e. concealed in^the; mall transmission 
, ar^>eclb^tib^fa the AJD only contains fragments 
of bi^;.Olb.^^so.jth^^^ ide/Ttity of the-tfiser can be con- 
ceal«J frprn unsp^ified ?iany_ even w^ the AID is 
registered.at rthe^(J.irje^ seryice.wh]ch is accessible 
froni J unspecified many.,. ^ ^. .3 r ■ ^ . 

[0027] VAi^.jin ^e present inyentipru the jderrtity of the 
us^r can be identified probabilistically by reconstructing 
th%.QJD.byJy^gingLth^,,id of^a pMjral|ty-of->^IDs. For, 
this ^easp^,,Jt.iSj possible 

the SPAf^ arcl the harassment without .jreyeaprig: the 

[00^8]^ . .Also, in the pr^ent inyeritipn, it is possible to 
admij:!.accesses, from un^eclfied many^w^^ reveal.- 
ing,tl{e.identity,,by rn^naging frie AID rather than the real 
emaif address al ^^the, director-y-,and oi^ PAT 
.containing the^AlD as a dest_ination,at the directory, 
[0029] More specif iqally, according to :One aspect of 
the, present inventiprt there is ^provided a method of 
email adcess confrol,xomprising ttie steps of: receiving , 
a personalized access ticket containing a sender's iden- 
tification and a.j^ipierrt's identifi.cation in^cprrespond- 
ence, .which is presented by aiSende-, who wishes to 
send an email to a recipient so as to specify the recipi- 
ent as an intended, destination of ttie email, at . a secure 
communicatior! service :for connecting communic^tims^ 
.between the sender and the receiver; and controlling 
accesses between the sender and the recipient by veri- 
fying an. access right c^ the senderwith respect to the 
recipient, according4o the. personalized access^ ticket at 
the,secure communication service. 
10030] Also, in this aspect of the present invention, at 
the corrtrolling step;the secur.e;Com,munication: service, 
authenticates the. personalized access ticket. presented 
by the send.er, and refuses a* delivery of the email when 
the personalized access ticket presented by the sender 
has been altered. . ^. . 

[0031] Also, in this aspect of the present invention,.the 
personalized access ticket is, signed by a secret key of a 
secure processing device which issued the personal- 
ized access ticket, and at the. controlling step the secure 
communication service authenticates the personalized 
access ticket by verifying a signature of the secure 
processing device in the personalized .acce^ . ticket 
using a public key of the secure processing device. , 
[0032] Also, in this aspect of the present invention, at 
the receiving step the secure communication service 
also receives the sender's identification preserTted by 
the sender along with the personalized access ticket, 
and at the controlling step the secure communication 
service checks whether the sender's identification pre- 
sented by the sender is contained in the personalized 
access ticket presented by the sender, and refuses a 
delivery of the email when the sender's identification 
presented by the sender is not contained in the person- 
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alized access'ticket presented by Ihb'sender. ' ^ ^■ 
[0033] Also/in this asp'ed of the present iriye^^^ 
personalized access ticket also cbntkihs ' a' validity * 
period indicating- a period fpl' which tfie '^¥rsorfai2KlJ 
access ticket is - valid; and at the ^corSffiWH^'- l^p ' s 
secure communication service -chetS©**" We *^i/a^^^^ 
period contained in thfe'persbhalizki ^ccf^s^ pM^"' 
sented by the sender arfd refUses B'd^iv^hVi^^^n^f ^^] 
when the personalized access tickeV tSFeSe'iiteS'tiy'thS^ ' 
sender cbrTtalns^vfli^'^}^^* ^m^ftik^'i^r^p'^ 10 
been expir^-^> 'i<^ £0,y;-i ^tn-y-Q "siHtneo* ^ci r^o 

[0034] ^ A)st^qaiffi^^pefct6f ffi^^ 
validity peribcf&fViepefeirt^z^ 

a trusted thift*?fefty?'-'^^ jr; )n-:c--.: cj.^ t^,, ^^^^^^^ 
[0035] Also, in this aspect of the present inverrtion^tHe^ '^'rs 
methcxJ can^^ifftrteP'cb'rftpnbg th^^ g^ing^tf^^^' 
personalized acd'ess tlckerfo^ 

service for managing'dri ldSfittf ji^^^^^ feich^rSgfetriHt^'' 
and a disdosed- thforrriatidn -bf '^^fi'^^^^ 
has a lower secrecy than a persbhaT'=1nkffn^ti6n 
state which is^ec»ssiW¥ for sSaarch^by unspecifi^ - 
many, in response io search conditions 
serid^r.' byojsihg an identification of a tegfStrant 
disclosed ihfonrhation matches the search conditibns al^ ' 
the recipient's id entifrca^ and the serider'k iderrfif ica-" 
tion specified by the'sender along^wifri fjrie Search con- ■ 
ditions.- - ■ ••■ --^ ■e-a::'^ r-.9 ■ 

[0036] ' Also.ln this aspect of the present irK^htion, the ' 
method can further corip^n^e th^ step of: regisfe 
advance the persorializied actesi^' tfck^f cbntai an 
identification of a specific User from WHich a delivery of 
emails to a specific registrant 'is' to be^refiisfed as the 
sender-is identification and ah iddhtif icatfoh of the spe- ■ 
cific registrant as the redpienrt's^iiiehtificatioh. at thfe 
secure commiinibatien seh^icef^erein the controlling 
step' thesecureconlmunicatiori service "refuses ia deliv-' 
ery of the*emall from the sender iArtieri'the'pisi^rtalized' 
access ticket presented by the -sencler is registered 
therein in advance at theTegistferthg step: ' ^ - 
[0037] Also, in this aspect of the present iriventionr the 
method can further comprise the step of: detetihg the 
personalized access ticket registered at the secure 
communication service upon request from the specific 
registrant who registered the personalized access ticket 
at the registering stepV - * 

[0038] Also, in this aspect of the present invention, the 
personalized access ticket also contains a transfer con- 
trol flag indicating whether or not the sender should be 
authenticated by the secure communication service, 
and at the controlling step, when the transfer control flag 
contained in the personalized access ticket indicates 
that the sender should be authenticated, the secure 
communication service authenticates the sender's iden- 
tification presented by the sender and refuses a delivery 
of the email when an authentication of the sender's 
identification fails. 

[0039] Also, in this aspect of the present invention, the 
authentication of the sender's identification is realized 



by a challehge/respbrfse procedure, i::>eibveen t|)e,sen^^ 
and the secure co^^ ^ . /I. , . . , 

[0040]. Also, ih'thi^ jaspp^ of thepreserjt inverrtio 
transf^^ ,contrpl.,f(^^ Pjer^pnayized jaccess tick^ is. 

^^^Vkr§^P^^Mf'?B^^J^ ??§iy^K^Upvention, the 
senBfer s 1dentlFication\and 7^^^ 
in the personalized acce^ ticket gan. be gjy^n by real- 
addf ^^ei^'m ifhe ienderaih^^ 
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in tft'^'^^r^fi^Se^ caiil^bi^.giV^ 
yrrft^j^'IdtritSb&lferffe recipient. 
wh#e anbn)fmous.^rrrif^ 
^'tairi§ aPlfe^iPSrie frlgm^^^ ^i?off]ayideritr^5^ti^^ of 
each user by which each user is uniquely identrfiabl&by 
ac;0rWfca[^on'aythorit^^^ ^ ^ . .^ - , ^. i« . ^ r 
[Otf^]" J^Saln this aspedt'df tri tbe 
anSRyfnSS^Tderi^^^ f^v^C?? M^er is aa irfe'rmation 
^corfteintng%V^t'li^^ ideb'- 
tific^fion of^ch user whfchls sighed by the Certification 
authority using a secret key of .the certification 
[OO^y ^/MsS, in tti^s a^ of H^e present inyention,,ihe . 
off iciiaf id^rifef ibation of each user is' a charaSer stjng: 
uni'c^el/^Ssigned''^^^ each User by' the 'cert 
authority and ai piibllc key bf 6abh user which are si0n^^ 
by a secret key of the certification authority. '-S 
[00^5] Xlso. In thjs asj^ect Of ihe present invj3ntiop. frie^; 
methbd can terthir confp^i^e;;'the*step 
calty identifying an identity^ b^^ fey recpn^truct-.^ 

ing'fte official identificatibn of the sehderby judgji^^^ 
identity d a plurajity of anon^ of the ' 

serrcier^cbr^iri^^^ plurality of ^erspnalizaJ access 
ticketi gsed fay"tHe sehder. ' ' ' " 
[0046] Also, irijEhis aspect ,6Tth invention, an , 

anonymous idertlffcatiqn of each use^ that cbntains fp^ 
least one'frkgment of an offfial iderrtificaiidfr each ' 
user by which each user is uniquelY^identif iable by a cer- 
tificatTon authority arid a link ihforrnatibn of e^ch anony- 
"mous ' identification by' which each anonymous 
identification can be uniquely identified can be defined, 
and the sender's identificatio'n and the recipient's identi- 
fication in the personalized access ticket can be given 
by a link informatiorr of the anonymous identification of 
the sehder and a link information of the anohymbus 
identification of the recipient. 

[0047] Also, in this aspect of the present ihvention, the 
link information of each anonymous identification is an 
identifier uniquely assigned to each anonymous identifi- 
cation by the certification authority. 
[0048] Also, in tiiis aspect of the present invention, the 
method can further comprise the step of: probabilisti- 
cally identifying an identity of the sender by reconstruct- 
ing the official identification of the sender by judging 
identity of a plurality of anonymous identifications of the 
sender corresponding to the link information contained 
in a plurality of personalized access tickets used by the 
sender. 
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[0M9] Alsojn this aspect of the present invention, th^ ized access ticket,. 

pereohyzed accesslicketcanOTf^^ , [00571 ' ' Also Jn this aspect of the present W^^^ a 

Identif ication- and a single recipient's identrf icatibn:iri 1 - ^ ' specia! j^lentif ication which is known^o all users can be 

to-tcon-esfX)riderice, definsd!sHH*'^sd.a^^^ 

[OC^O] ^. Also! in tfii$ aspec^ of the present jr^ec^^ s perso^j^ac^ess ticket by using the special identifi- 

personalized'acces^ticket^ catioii^'lV-.'^^^^ ,. '7 - 

identrficatioh and~a plurality of redp\^slc^!f [00^] .t/Msp,in,this aspect ^of'the present invention, at 

in 1 -tp-N corresponderic©^^^^ the controlling step, wheii'me ac^s^^^ sender 

i*., , ^' . - . ' - V- .'v with regpept to^thf*/edpi|^ 

[0051] 'Aiso.jn tills as^pert , per^priali>e<5f,a9^^ "ti"^t ' thers^^^^^ cominnunication 

one identif ic^^ 6Cngl^>enaer^^^^ service ^uit^ from the 

tion and tii^ pl^^^^^ of 7ed^i6?((si^^ personalized" access li<^kby-*using:t|^^^ jdenti- 

hold^r" identrf ic^t^ for rdeftti^iHg a ji^d'^^j^^^ f icatipn pi;eserjt,p0. by ^the sender^. !cc^ mail by 

sonalized; ifcqes^^^ ticket ^ while \.^eC. ide^^ '' J, usirp^k taken, oii rVcipi'er^'s ;fprmat 

ampng th6 sangle sfend^^^ .that,c^n/be}]m 

ity oi r^dpient's identftic^^^^ dire mem&er id^ actually carrying out" a . mai^^ and 
tions'for idehtifyihg merfibers of a group to which the '."^^ give^he .mail afj^r (conversion. to the rri§i! transfer func- 
holder belong. J tion by. attaqhipg the personalized access ticicet. . 
[0052] Alj^6, in this aspect pf the p^^^ [0059]^, Accordin^tp anoj^er aspept of^the present 
method can* further comprise the step' of:, ':I^M'n9 ^^'...^P invention there.is. pfovided a method of _^ernail access 
iderttif icatfoh of each user apd an ehabler o|tiJf identijFi^., I control,, corriprjsLng, ;the steps of:, defiriing-, an official 
catidiri of each us^^^ indicating a ^ight to change the per-^ ider^tificatipn", cif %ach user by, which Ceadr. user .*fe 
sonalized access ticket containing the identHication of ' uniq'ue]y identrf'iable/by a cerimcition authority, and an 
each user as the holder identiificatiph, to each use^r at a. , ^ anonynrious , identification, of each user .containing at 
certification authority, such that prescribed proposing, , 2S least one f ragmerit of the official identification: and iden- 
on the personalized access ticket caKbe carried out ati- tifying each "user by the anonymous identification of 
a secure processing de\4ce only by>^ user who pVer . . each user in communications'for em^ 
sented both the holder identification cpotained in the ^ cation network. « . . . ,v / / ' . : . 
persphaiized access ticke^^^^^^^ porr,esponc|-, * [0060] Alsb. in tiiis aspect of the preserit Invention, tiie 
ing to We holder ideritif icatibh to the secure processing ' ^ 3(0 ^anonymous identif icatipn^ of each user is an information 
devfcig. J ' / r- " containing the at least one fragment of the off^^^^ 
[0053]^ ' '.n this a^ect 6f the pres^ iro^entipn Jhe \ tif ication of each u^er which is signed by. thejpertif icatipn 
certification authority" i&yes; the ehabler of*th> jdentifi-.. authority'using a secret key of the certification airthprity. 
cation of each user' as ah inforniaiior) indicaii^ ttiat it is ^ * [0061 ] Also, in tiiis aspect of the present invention, the 
the enabler ^nd the idehtificalioh o^ >ach _user itself 35 qffidal identification of each user iSja- character sfring 
which' are signed by a secret. key of the. certification. . uniquely assigned to eac^i. user by the certification 
autinority. ' , . \- ' . . authority arKl.a public key of each user which 
[0054] "AIsp, in this aspect of the present invention, the ' . by a secret key of the certif ication ^authority, 
prescribed processing includes a generation of a new . [0062] Also, in tiiis aspect of the prasent invention, .the 
personalized awe^ ticket, a' merging of a plurality of. 40 method can further comprise the steps of:jeceiving a 
personalized access tickets, a splitting of one persorial-. personalized access ticket containing a sender's anony- 
ized access ticket into a plurality of personalized access mous identification and a recipient's anonymous id enti- 
tickets, a changing of tiie holder of the personalized f icatipn in cpn-espondenceM which js presented by a 
access ticket, changing of a validity period of the per- sender who wishes to send an email to a recipient so as 
sonalized access tickef, and a changing of , a fransfer .45 to specify the recipient as an intended destination of tiie 
control flag of the persfonalized access ticket. email, at a secure communication service for connect- 
[0055] Also, in this aspect of the present invention, a ing communications - tjetween the sender and the 
special identification aiid a special enabler correspond- receiver; and controlling accesses between the sender 
ing to the special identification which are known to all and the recipient by verifying an access right of the 
users can be defined such that th^ generation of a new so sender with respect to the recipient according to the 
personalized access ticket and the changing of the personalized access ticket at the secure communication 
holder of the personalized access ticket can be carried service- 
out by the holder of tiie personalized access ticket by [0063] Also, in tiiis aspect of ttie present invention, ttie 
using the special identification and tiie special enabler method can further comprises .the step of: probabilisti- 
witiiout using an enabler of a member identification. . 55 cally identifying an identity of the sender at the secure 
[0056] Also, in this aspect of the present invention, the communication service t>y reconstructing tiie official 
special identification is defined to be capable of being identification of tiie sender while judging identity of. a 
used only as tiie holder identification of tiie personal- plurality of anonymous identifications of the sender con- 



6 

BNSDOCID: <EP 0946C322A2J_> 



11* 



12 



tained in a plurality of personalized access tid<ets used 
by the sender. ■ - - - - ' ' ^ ' " - - 

[0064] Also, in this aspfect of the preserit)iiy¥rTtic^ the 
defining step can-also define a link ihfdi'rrBtidn of each ' " ' 
anonymous ideritification by which eaclr anuiV^i^^s," 
identification can be uniquely identified, and each anoh- 
ymous identificatibn can also contain the link-infornria-';' 
tion of each ariohyrhbusi'idehtific^^^ ' ' 

[0065] Also, in this aspect 6f the*'preseht inVehtfoni^he^ | 
link iriforrnatiori^of 6a6l-an'dhVrn5ub i^ehiifi^ 
identifier uhiqo^a^i^ned 

cation^by tfid^ertfPii^tiori aihhor^^^ I"^?^^!!!^ 
[0066] Also,- inMs aspe'et c^^ 

method can^iu'rWW'66rfq3i^te6&'^ steps tiiv recieivin^ a'^;^^ 
pereonalized^'acSessVibket fentaihin^^ STinJc iriforfnatibn is 
of a serKier%' anonyrfibus kierittf 

matibh of a recipient'^ anonymous in dot- [ 
respondence, which" is presehtkP by 'a seHd 
wishes to send an ©mail t^a Recipient sd^s'tb spebfty" ! 
the recipient as'ah irifehcfed destinaifbh qf the'emaif. at ' 20 
a secilire commuhibatibn service for borinfecting a>mrnU-^ " 
nications between the sender and th# receiver;' arid ' 
cori^rollihg accesses between theisender^firid the recipe 
lent by verifying an access right of the sender with ^ 
respect to the recipieht according tb the pefsbhatized >5 
access ticket at the secure communication service. 
[0067] Also,^in this aspectbf the preseht inventiohf th4 ' 
method can further comprises the step of: prob^ilisti- 
calfy identifying an'fdehtlty of the^sendei^ by reconstruct-' ■ 
ing the official identifidation of the serider while judging 30 
identity of a" plurality of anonymous identifications of the 
sender oorrespoiTCling to the link-informatioh bbntained ' 
in a plurality of jierson^zed access'tickets'^used by the ; ; 
sender."'- ■ "^v";^. 0 x^y:. 3 : , 

[0068] Accbr<ang''to atlothef aspect th^^ 35 
invention there is provided a cbmmurircatibn^ystem 
realizing email access control; comprisirig: a cbrftmuhi-^ 
cation network tb which a plurality of user terrhinals are 
connected ; and a secure communication seirvrce device ' 
for cohhecting communications between the sender and 40 
the receiver on the corhmunicdtibn network, b9 Tecefv- 
ing a personalized access- ticket containing a sender's 
identificatibn and a recipient's identification in corre- 
spondence; -which is presented by a sender who Wishes 
to send an email to a recipient so as to specify the recipe 45 
ient as an intended destination of the email, and corrtrol- • 
ling accesses between the sender and the recipient by 
verifying an access right of the sender with respect to 
the recipient according to the personalized access 
ticket.- . ' ' - - so 
[0069] Also, in this aspect of the present invention, the 
secure communication service device authenticates the 
personalized access ticket presented by the sender, 
and refuses a delivery of the email when the personal- 
ized access ticket presented by the sender has been ss 
altered-' * 

[0070] Also, in tiiis aspect of the present invention, the 
system further comprises: a secure processing device 



for "issuing the p^rsbri'alized .acc^s" ticket^ is 
sign^ byA^ecret key of t^J^ ,s^^ prbce^ing d 
whereiri the secure commuriicatiori ^rvice , device . 
authenticates the personajized access' ticket^b^^^ 
ing'a 'sigriattfire bf the sSi^cure'prjbcSssi^^ in the 

per^oiializ^' a&es^^^ tid<^ tisirig a gUWIcyk^y jof the_ 
sedire^jS^foceislriy dyylce: ; ' ' - . ' 

[OO'/if ^ Alsb;?ri'this a^pebt of the present iriverition, the. 
secure communication service device ajs^ receives ^e^ 



' sendei'ls^^'idenp s^endiejc, along \ 

with iile perspne^ . ] 

sen'&^r^/idejttficatip^^ presenifiBd^ .^^^ . 
tain^'M ;the^'p6reon^^^ apces^ Mpk^t pres^ntipd by , 
the'sehde^, ari^^ bf^tt^^^ wbe^^the 

sencfef;^ identifioa^ slender Js hot 

coriferpdd in tiie persortalized a^ . 
by the sender. , . - - - ^ ' . / . 
[0072] ^AlsOj in this aspect of tiie present invention; the 
perionaHzydVaccei^ contains^ q^^yalidfty . 

peribd iT^c^fin^^ the pers^naljz!^.^ , 

acc'efe ticket V y^ and' the secure cprnmuhic^tipn " 
service device checks tfie validity period.. ODnj^mecl, in - 1 . 
the perisbhalized ac^ess^ticket j^^ tiy th'e sender . ^ 

andV^kiSes a delivery bf email when^ the 
izedacce^ ticket presented_by the seh^ contains liie^t 
vaHcfty period tiiat hjas already bW^^^ " J' Tf 

[0073] Also, ih thi^'aspect'bf ti^^ present iriyenfloh, t!£e . 




[0074] Alfeo; in tflis aspect oi the preserTtinveritioh/^^^ 
system can further comprise^: a directory service device ' , 
for fbfnagirtg an idento regisVant, ahd V ; 

and ^'a cfisclOs^d ' 
has a lower^a;^^ thah'a^ 

^ate which is accessible for search by unspecified ,2, 
many, arid issLilng' the persohalized access ticket to theT^ 
sender in response to search conditions specified by . 
the sernder, by using an identification of . a registrant 
whose disdosedlpformatibn^^^^ 
tions'as the necipient's identification and the sender's 
identification specified by the sender along with tii®. 
search conditions. ' . . . . , 

[0075] Also, in tills aspect of the present invention, the I 
secure communication service device can register in 
advance the personalized access ticket containing an 
identification of it specific user from which a delivery of 
emails to a specific registrant is to be refused as the 
&ender*s identification and an identification of the spe- 
cific registrant as the recipient's identification, and 
refuse a delivery of the ernail from the sender when the 
personalized access ticket presented by the sender is 
registered therein in advance. 

[0076] Also, in this aspect of the present invention, the 
secure communication service device can delete the 
p>ersonanzed access ticket registered therein upon 
request from the specific registrant who registered tiie 
personalized access ticket. 

[0077] Also, in this aspect of the present invention, tine 
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personalized access ticket also contains a transfer con- 
trol flag indicating whether or not the sender should be 
authenticated^by. the -secure, cocnmunication service; 
and-vyhenithe transfer;control>f lag contains iii the per- ' 
sonalized access tic!<et indicates.that the sender 'should '5 
be authenticated; the.^secure commurMb^tor* service 
device., authenticates the: senders3(derttififea56rt tpire^-^'^^' 
sented by the sender;and refuses aicielivery "&f-the^errail Q^' 
when:an .autinentication: of the sender»'gi^d^fificati'6n- ^^ 
failsr . .: ^,1 y . : V ; *ne:^*^ 7 ci 'ioirv^j^ 

[0078] : Also, in this a^eet of the presennrt&'Snfibn^^ 
autiienticatiori 6% the serxfer's IdentifiiiSfibn is realizSB '- 
by a challenge/response prdc^ure beifweSn1he^s4rKler"^^^ 
and the secure ebnifnunibatibh Sefvice''devfc^feP'""^ ' --^ ^'"''^^^ 
[0079] Also; in this aspect of the prese^^^^ 
system fui^er cb'mpristes" a'trustedf'thlnd^fiarfy 6f ^ettin^' ^ ^ 
the transfer^ cbntrol flaig of-'the persbilalizeB^^^^ 
ticket. ' ]:^r:\:y^ -r^r-- : -c i^u::i'-. {^r,^ibl x-'^tc 

[0080] * Alsor in this aspectbf the present ihv^"nti6n;'tffe - 
sender's identiffcatibn and the redpient% IdenttficStlcn '^'^o 
in the persbhalizisd' access ticket can be given by- re^t " ' 
email addresses of the sender and the retiipient: - * " ' " ' 
[0081] i Also; in-fhis aspect of the present invention, the^ * 
system can further -co'mpriseF a'- edification authority ^ 
device for issuing an anonymous idiehtrf i'cation 'df each' 25 
user which contains at least one fragment of an official ' ' 
identification of each user by Which each user Fs^ 
uniquely identifiable by tile certification authority de^ * 
wherein the sender's identrficatibn and- tiie recipient'^' ' 
identification in the personalized ^cceis ticket can be so 
given =by ahonyhious identifications of the sender and 
the recipient. - ^ :t i ' ^ r ^ 

[0082]* . Also, in this aspect of the present inventibii, the^' ' 
anonymous identification bf eadi user is an information ' " 
containing the at least ohe'fragment of tiie oifficiaKiden- ' '3s 
tif ication of each "user which is signed by the bertif i^tion ' 
autiiority device using a" secret; key of the certification 
auttiority device. r : * . - , : 

[0083] Also, in this aspect of the present invention, the 
official Identification of each* user is a character string 40 
uniquely assigned to each' user by tiie certification 
authority device and a public key of each user which are 
signed by a secret key of the certification autiiority ^ 
devicei. 

[0084] Also, in this aspect of the present invention, the 4S 
secure communication service device can prpbabilisti- ' 
cally identify an identity of the sender by reconst-ucting 
the official identification of the sender while judging 
identity of a plurality of anonymous identifications of the 
sender contained in a plurality of personalized access so 
tickets used by the sender. 

[0085] Also, in this aspect of the present invention, the 
system can further comprise: a certification authority 
device for issuing an anonymous identification of each 
user which contains at least one fragment of an official ss 
identification of each user by which each user is 
uniquely identifiable by tiie certification auttiority device 
and a link information of each anonymous identification 



by whjch each_ anonymovis identification can be 
uniqufely identifieclj^Where^ tfie senderV.id^if ication 
and thetecip^^^ idientificatipn. Jn, tiie personalized 
acces^ tit^et'c^^ given by.a JinK'informaiion of tfie 



[0086] AlsOj^ in.this aspe^ of the present invention, the 
link~inforjf^ oi'j^BCh inonyfrbus is.an. 
identif ief ijVjiguell as^jgnaj io^ch^ap^^^^ idenlif i- 




tiie 



secufie ^r^TiQ^^^^ .s^n/ipe^ deyic|..',cao! !p^ 
call^tcJ^i^^fW].^^^ recpri^sticucting 



sender cbrfesponamp to the link informatiori contained 
in a)5itiri^l(ty ^^'j|epDnaJi used by the, 

sender:'^' J"' ^^''^^^^^ ^ T'' . ^ 
[00887 "^^b, in this aspect of the presentXnyer^dn, the 
personalized acc^s ticket can contain a single sender'^ 
identification and .a single recip>i^'s identification in 1 - 
to-1 ^corr^poraenca ^ „. i . 

[00691, "^^4 'nji^Is as^^ of thQ^present invention,, tiie 
persorialized'access ticket can cbritaih a single sender's 
identification and a plurality of recipient's identifications, 
in 1-to-fNi bdrrespbhdence. where' N is an integer greater 
tiiarri;./ ' ^ j; ' ' '[^ ' \ ^ \ ' 

[0090] jAlso: in this,aipepi,of thepreserit i^ 
one identif ication among the. single seidef's ideritifica/. 
tion ^rid; thfe'pluraliiy pf recipient's identifications is a 
holder Identif icatipp for.i^entifyfhg a, holder of the per- 
sonalia^'^ acce&, tickesi while . other identif.ications,, 
amohg 'the si;ngle sender's idaiti^^ and the plural- 
ity of r^ipfeni's identifiqgtipiris are, member identifica- 
tions' fbr^'identifying 'meriS^e^ of .a.groupJo which the 
holder belongs. ^ . . 
[0091 ] Also, in this aspect pf tfie present invention* ttie 
system ban further comprises: a certrfi*bation authorrfy , 
device for i^uihg tp each user an identification of each 
user areJ. an enabler of the identif ication. of each user 
indicating, a right to, change the personalized access 
ticket containing the ideritification of each user as the 
holder identification; ari^ a secure processing -device at i 
which prescribed processing on. the personalized 
access 'ticket can be can-ied out only by a user who pre- 
sented both the holder identification contained in the 
personalized access ticket and the enabler correspond- 
ing to the holder id^tification to the secure processing 
devic4. 

[0092] Also, in ttiis aspect of tiie present invention, tiie 
certification authority device issues the enabler of tiie 
identification of each user as an information indicating 
that it is the enabler and the identification of each user 
itself which are signed by a secret key of the certification 
authority device. 

[0093] Also, in tiiis aspect of the present invention, tiie 
prescrit>ed processing includes a generation of a new 
personalized access ticket, a merging of a plurality of 
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personalized abscess tickbte, a sjslitting of bhe personal- 
ized access tidjat into a plurality of persooplfz^^ . 
tickets, a changing of the holder of the^jjerspbaiif^ 
access tictetV changing "of a', validity p^n^t^^^^^ 
sonalized access tici^etr artd ,a changing ^p^ ii\fWf\^' - 
control flag of the pef^ndliz^ acSceS^ ti(3[e1. ^ ' 
[0094] Also, in this asi^eict 6f the present inv^ntiori, a . ^ 




users can be defined ^icH'tf^t^fte gen^^ 
personalizecf^odfels"^¥(ik|t' a^^d:^tfte; |if|n^ Xtf^/^l 
holder of the^pte^sbiili^^^^ afac^^r^^^ 
out by the hblder pf^^^^;ffei:^6 

using the sf^tiSj icfe^S^eflidn and tjie^li^e^ ^'nab'l|!:^.^ I 
without uslhgWWn^p6i^ of ^.member ^ '"'is 
[0095] Also, iri'this aspect of the present ihvehtiori, the ^ 
special identif (cation is defined to be capable of being, 
used only as the holder identification of^:the persoriai\ . . 
ized access ticket: ' j ' ' ■/ 1 ^ ! 

[0090]* Also, in this a^f5%ft of jD^^^ 
special iderrtificatioh'wtiicff is fai 

defined such that a read only attrjbute^ban fee set fo fKe , 
personalized access tfclcet by using tlie speciai identrfi-' . [ 
catibnr'- V''^ " " ^ „ J^.. '": ^V"" 

[0097]-^ ' Also; in this'aspert of ?ne pf el^^ . >5 

when the access right of the sender With respect to the,/ . 
recipient is verified according to th^e personalized 
access ticket, the secure commonTC&lion.seiVicf devi 
takes oiit this recipient's id entif icaq on f rorh the personal- 
ized "access ticket by^ usiiHgJhe^ sertder's identificatton. ,,30 
preseiTted by the serder,-cpnyerti t^^^^ "laiC^y uljng a' V- 
taken out recipient's identif icatiSn ifrto a forriiai that can"^ , ^^'^ 
be interpreted by a mail trahsfeir funrtibn fgr a^ J. 
carrying 'out a mail deliverV proce^ih^' and gives 
mail 'after conversion to thfe mail* transfer fundron -by 
attaching the personalized access ticket, ^ J"' 
[0008] AccorcSrig to another ;a6pect' of the ^re.sent 
invention there is provided a' cbmrnunicatioh systern; 
realizing email access cortfroj'^ cdrriprising: a bertiSFica- 
tion authority device for defining sirt off iaal |dehtif icatioh. 
of each user by which each user is uniquely identifiable 
by the certificatiori authority device, and ah anonymous 
identification of each user which contains af least one 
fragment of the official identification; and a communica:. 
tion network on which each user is identified by the 
anonymous identification of each user in communica- 
tions for emails on the" communication network. 
[0099] Also, in this aspect of the present invention; thei 
anonymous identification of each user is an information 
containing the at least one fragment of the official iden- 
tification of each user which is signed by the certification 
authority device using a secret key of the certification 
authority device. 

[01 00] Also, in this aspect of the present invention, the 
official identification of each user is a character string 
uniquely assigned to each user by the certification 
authority device and a public key of each user which are 
signed by a secret key of the certification authority 
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device. , - - - , v. : 

[01 01 ] Also, jri this aspect of the present invention, the' 
system car) .further„Qomprises::a secure:cornmunication 
servic^'^eviQ^for connecting communlcatk)ns between ' 
the^pder aodrftbe^c^ceiver on^tfiexommuaication net- 
worl^ :^y /^,(f^jr^a:persar^lized3ccess-ticket contaiiV 
ing;;i^oS^r]d§r's:^\ag^^nyn^ identification ; - arid a 
rectf;^e«g^ar)ipnymous identificatiDn in correspondence/. 
. which is preserrted by a sender who wishes to send an - 
em|i^ to^j^.TeQipientj^j^ as an 

imen0|jfl^.3ql^tiration-ofc^ ,^rn%^ c^P^o corrtroiling 
acc^sef twp|Q,thec^^ me. r^ipient by veri- 

fying" an acc^,rightiOf.ti)e send€^>.5yith rejspeclit^ the 
.,recip[ent,agcg^r^np.teij^^^ personalized acpe§sj4c?ket. . 
"i0102lJ,i|l^^^ if? tb^saspetSt'Ofitfji^pc^ the 
securi^^coinmgniQatiqn^ (^ipjpb^bllisti- 
callyidenlify an identity of the sender by reconstructing 
the pfficial.j^ideptrficatlgn^^. 
,identity/crf;ajP^al^^^ 

sender contained in a plurality, of pe^sonaH?ed:access^ 
tickets used, by tiie^sendefj. ^- ^ V jr. .;-: , 
[01 03]. ^so, jri this asp^ of thepresent;invention, the 
certific^ion authority. deyice can also define ajink infor- 
mation of each anonymou? identif ication^hy whiqh each 
anorvymoL^. identification can be uniquftly- identified, 
and each anonymous^ identification can also contain the 
link information oi each aponymous identification, .r - 
[01C4l\ .Also! .in this aspect of tiie present invention, the^ 
link irttormation of eaph anonymous identification is an 
identifier uniqyely assjigned to each anonymous identif ir 
cation by the certification authority device. ■ 
[01 05] Alsp, in this jispect of the present invention, the. 
systejTi, can. further comprise; -a secure^communication 
service d^ce for connecting communicatipns between, 
the sender and the receiver, on; the cpmmunicatipn net- 
work, by receiving a persor^alized acpess ticket coijitaiin- 
ing a lirik information of a sender's anonymous 
idenWication and a link inforniation of a recipient's 
anonymous identification in correspondence, .which is 
pre5ente|d,by a sender who wishes to send an email to 
a recipient so as to specify ^thQ recipient as an intended 
destination of the email, and controlling accesses: 
between the sender and the recipient by verifying an 
access right of the sender with respect to the recipient' 
according to the personalized access ticket. 
[0106] Also, in tiiis aspect of the present invention, the 
secure communication service device can probabilisti- 
cally idehtify an identity of the sender by reconstructing 
the official identification of the sender while judging 
identity of a plurality of link informations of anonymous 
identifications of the sender contained in a plurality of 
personalized access tickets used by tiie sender. 
[0107] According to another aspect of tiie present 
invention there is provided a secure communication 
service device for use in a communication system real- 
izing email access control, comprising: a computer 
hardware; and a computer software for causing the 
computer hardware to connect communications 
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between the sender and the receiver, by receiving a per: 
sonaliz^ access ticket cortaining a sender's identif ica- ' 
tion arid a'reciiDi4nt*s ideritificatibn in ojrresppndence, ' 
vvhich is presehted by a'sender who wishes to sehrf an 
email "to a redpibht so as to s^)ecify the rieiipierrt as art 5 
intended destination of the 9^ 
accesses be^een•trie^^nd^^^ j^y \irej;i-^J-^ ; 

tying ah access right of the sehder Wfc'?^^ 
recipient accoriling to the persohaliied]^^^^ 
[0108] ; Also, m this a^pept of the preserr^^^^ 
conTpLrtW '^qftw causes the cor^^ I 
authenticate the persohaiizeNd acx?eW^lc|5pt^ preserrjed /^f ' 
by the sender, arid jrpfy^^ of t^4.e(]^ij ,w^ 

the pfer^bnalizeS ac^^ 

has been^'artfered. t . ' I - 1 -.V ^^\i-^j,s 

[0109] J^sq, irilhis^aspec^of W^^^ 

persbrializdcf access ticket is signed by a secret Wy of a , 
secure processing device which jssued the p^rsonal\ 
ized acce& ticket, arid the c^^ Soffcwkte i?aus^ 

the computer hardware to autiieriticate't^^^^ per^onaiized ' ' 20 
acc^ ticket by verifying a sfgnature of the secure ^ '^^ 
proc^sihg- device " in the peiBonalizecj access ticket' ' 
using a public kcey of the sedure jDroc&sing device? " ' " 
[01 1 0j Also; in this aspect th'e pres|nt inyentiiin. the ' 
computer software causes the cdnpirter hardware to 2S 
also receive the sender's identification pres6nfed"by.the ^ 
sender along with the personalized acteess ticket, chedt [ 
whetiier the sender> identification fSrWenied. by/the^C"^ 
sender is contained 1n the personali2ed\ac6ess ticket * \ 
presented by tfie sender, and refus> V^^^^^^ Vb 
emarT'wheri tiie sender's idert^icatiori^"^reS6iTtid^ b^^^^ 
sendeir is "hot contained ' in^'the per^naljzed: access;, ] 
ticket presented by the sender. ' ' ' ^ * '\ 

[01 11]* Also; in tiiis aspfed of the preserii Irivehtipn^t^^^ 
personalized^access" ticket also contairis, a validity 35 
period indicating a period fbr wtiich tiie pere^ 
access ticket is valid, and thfe qbrirputer spftiyare causes * 
the computer hardware to check the \^lidity pei^iod con- , 
tained in the personalized access ticket presented by * 
the sender and refuse a deliver^y df tiie email when the 40 
personalized access ticket piresented by the sender 
contains the validity period that has already been ' 
expired: - 

[01 1 2] Also, in this aspect of the present irivention.'the 
computer software can cause tiie computer hardware to 4S 
register in advance the personalized access ticket con- 
taining' an identification of a specific user from which a 
delivery of emails to a specific registrant is to be refused 
as the sender's identification and an identification of the 
specific registrant as the recipient's identification, at the so 
secure communication service device, and refuse a 
delivery of the email from the sender when the person- 
alized access ticket presented by the sender is regis- 
tered at the secure communication service device in 
advance. 55 
[01 1 3] Also, in this aspect of the present invention, the 
computer software can cause the computer hardware to 
delete the personalized access ticket registered at tine. 



secure communipation. service . device u^pn request 
from the ^cifjp^^^^ who registered thegifrsonal- 

izedacqess ftdh;^ " . 

[01 I^J r;Also^^a#?i.s aspect of thejpFesept invention, the 
perg9g^?;g^4^^&ti^d<et ajso cpntains-a^transfer con- 
trol flag indicatirig whether or not the sender should l>e 
auttientiQjat^. jDy th.e^. secure communication service 
device. ^ria ,yviS.ea t-ar^fr ^confrol f |;|g in 
tfie p^^n|jj?ed^a^ 

, shoiu|Eibf lii^h^^^ comp^ causes 

'tiie'cprtpil^'^^^ 

ideri^fJp^'tiQt^^^ s,0?dec,^and' Refuse: a 

delivf^ry' ,^j;tte^eii^^^^ anl auttipntic^^ i>f tiie 

[01 1 5L c;Ai|o,,fri^ii^.5^ pf. me pr^sefitjir^ 
computer^* software causes ,th^. coJX»puter_rhardtware to 
realjz^ jibe^awtt^^ptipa^tiQi^^ of^ tfie seoderii 
by a ^^a(jen:^e/r^ f^etyi^Wi tljie sender, 

and tn^^se^^^^ communTc^i ion,se^ deyiceJ . - 
. [01 i'6 j " >iso, ,in tiik aspect of tiie preserat in verttiori. the 
sender's identitic^^ the recipjent^s iderrtification 

in th^persQnali??>d access ticket can be giyen,by anon- 
ymous^ JiS^ntific^^ the ,sender/and.the cecipi^ent.- 

wher e ,an fanpriyr;np identification of each user; Qon-. 
tains %t le^ one tragmert. of an offidaLiderrtif.ication of 
each ul^r by which each user is uniquely ider^tifiable by 
a certification authority; and the.computer software can 
also qause the computer hardware t,o probabilistically 
iden^ an iderttity of the seride^,.b>5: reconstructing the,, 
official jclentrfication ot 'the sender by judging identity of, 
a plurality .of apppyrnous identifications of,,th&,sender; 
contained in a' plurality , ol personalized access tickets 
used'by the sender. ^ ,..1 J ^ 

[01 1 7] Also.^ ip this aspect.of the^ present invention , an 
anonyrnous ideritifiratTob^pf jeach user that contains at 
least^pne fragment of an offiq of .each 

user by which each. userJs uniquely identifiable by a cer- 
tificatiph authori^ and a lirjk irrforrnation of each anony- 
mous! identification' -by. which each anonymous 
identification can be uniquely identified can be defined, 
the sender's identification and the recipient's identifica- 
tion in the personalized access ticket can be given by a 
link information of the anonymous idjentif ication of the 
sender and a link information of the anonyrnous identifi- 
cation of thie recipient, and the computer, software can 
also cause tiie computer hardware to probabilistically 
identify an identity of the sender by reconstructing the 
official identification of the sender by judging identity of 
a plurality of anonymous identifications of tiie sender 
corresponding to the link information contained in a plu- 
rality of personalized access tickets used by tiie sender. 
[0118] Also, in this aspect of tiie present invention, 
when the access right of the sender with respect to the 
recipient is verified according to the personalized 
access ticket, the conputer software causes the com: 
puter hardware to take out the recipient's identification 
from the personalized access ticket by -using .the 
sender's identification presented by the sender, convert 
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the mail by using a taken out recipierfty i'cfentificati^^^ 
into a fdrrrtdt-iifiat can be interpreted b^y a mal ffkhsfer 
function for actually carrying, out a nlail 'delivery 
processing, and give thie nrian after coriverisioft to the - 
mail transfer function by attaching th"#^ers8n&fi2ed ^ 5 
access ticket ^ * : ^ v ;r.vs."/; snimr^.bn C£.^ r . 

[01 1 9] AccorcDhig to' another aipec^^ oT 'th^ef'jy^^^^ 
i nvention there - is jirovldedia] se& prbces&hg 'c^fcj^ '"^^^ 
for use in a tSbrfifniififeStioT?'^ 
access wntrdV'&mj^is^^^^ 

a coniputeirs6ffevar^ftir&u^ ' 
to recfeive^a riyUesrfei^a^per^Snkri^Sca^ 
' from a user?&ha^isSuy^'aNi^i^^l!^ 
taining a sender^ identification enHtf WV^iSpiieffi^'irfeM^ 
f icatioh irribolrespSndence; Whicli'iy W^ed'bf §'§ecM 
key'df th&s^ui^e^^rtifcfe&in^ <ie5fe^6^^ ''^'^Tl^JTT^^ 
[0120] • 'At<rorxShg to'ano^^^ ^i^j^j^^SP'tf^^^^ 
inventiorii there is pf ovfded'tf direcSof^ ; ' 

use in a commuhlcafion si^efn¥e£in£ih^*"6rrt^ ;^ 
control, comprisini^r^ bprn^ ^ 20 

puter software for •cSuslrig the Con^Utef'W^fd^ to. ' 
manage ian-identifi&tiofi^df 'eacH% 
closed^rh6rmation'of eadi r6qistrarSv^hfch'fia^^#r^ " 
secrecy than a personal iriforirmtlon, in a* stateJ^fch i^^ / 
acces&6le'fOr seiarch by un^^cifred rrariy;'and'1^ufe"^ '25 
persdhahz'edafebess^ticKet 60 sencfer^'id^ 
f icatibri and a recipient's icfentffiCiatibn in* cbrrespbhd-'^ 
ence, i6'*the sender-rh TeKSfion^e to^e^ 
specified =by the 'serrier'/;b5r using kn' iderrtif fcati^^ a* 
registrar^ whosel^disfelbse^ infbrniati thjVl^^ 
search condifibnS aS'^iha redpient'sf ldeW^ ^ 
the sender's Idehttficatibn'sprecifiefct by the^^^nder albri'g 
with the search conditions. ^^^^ ^ \« V ** 

[0121] Accdrcfing "ahothir'^spebf thr Iresent^ 
inveritiori there is provideij a '-bertifKatibh 'aitribrit^ 
device -^for "use in' a corhmunicatidh * sy^teVrt - reafi^^ 
ernaifaccesscontroC comprising; a 'cohi^ 
and a cbmptrter so^tvvafe for causing^thfe tpnni)uter 
hardware' to iss^ue to each user an • official identification 
of each user by wfiich 'eadh user'ls'unlqaely ider^ia^^ 
by the certification authority deviee, and an anonymquS 
identification of - ^ch -user which contains at least one 
fragment of' the dfHdal iderrtification;- * - 
[0122] Accordngrto^ another 'aspect of the jDresent 
invention- there Is'' provided" a certification authority 
device for use in a communication system realizing 
email access control, comprising: a computer hardware; 
and a computer software for causing the conrputer 
hardware to issue to each user an identification of each 
user and an enabler of the identification of each user 
indicating a right to change any personalized access 
ticket that contains the identification of each user as a 
holder identification, where the persnalized access 
ticket generally contains a sender's identification and a 
plurality of recipient's identifications in correspondence, 
and one of the sender's identification and the recipient's 
identifications is a holder identification. 
[0123] - AccorcBng to another aspect of the present 
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invention there is provided a'secure pm'cesi^ing device • 
for use jn a 'qoipiwnication^ 
acce^ contrdCconprisin'g: a,cbrpputer^h^rdware; and 
a compirt^, ^pfj^fg for causing the cc^uter.hardware 
to rebeigft f rpm p^user a ri^ue^ fQrjDre^iprib^ process- 
ing ^OT^ ii^ a : 
sendi^r*g)'a^^ 
tif icatipg^lJlji go&^^pgp^ 

identifrcatfqrf^^^ is- a 

^holcfer-' 'iSfefifffifikfefit' Srfd^ ¥ie preairibecl 




'„cprrer 



in trt¥pWr|S^^^^ 

sporKiin*g^cf''lheTi6lie?1^^ Which" tnci^cates a 

^right to change the personalized access ticket. &ntain- " 

ing id^trficSttidn'bf tfie'u^ as ijire holiSer i^entifica-' ' 
tion'"^ ic ve>< U T^e-s? a '<c ^-^0^^-'^ <"i 'V^ ^- ' s 

[OlML^^^^ccppdipg tp. another aspect 61 the present, 
mverri^^^^mere^ te^p.^^^ a.ii^mputec.usable. medium . « 
fevin^** pom^ ^rp^cfabje *|)opgram., code, means ^ - . - 
ernbodr^ th'ere^^ a computer to function as . 

a secure Smmgnic^j^^^ deyice, for use in a . 

comrrujnica^pn^^.^ys^^ tealizirig. email access controju 

tiie compirt^r read^ . 
first tonn^Ljft§r ridable prqgrairi code means for caus- : 
ing lajdf^cbmRiite^ reci%ive.,'a persoriaiized access. 
tickel^ranteini.^^ sender's, identif icatiqn, and a recipi-VJ 
ent's idenWica^pnJin. corresp6ndenciBi7,which ls,pre>^^^^ 
sentaJ.fcfy a,|^n&er .w^p ^she^ tojsencl an ernail to a' ! ,^ 
reci||errt 'sp^^^, tQ 'specify recipient'as ah intended -p-. ' 
dest}i4;t»oh of 1^^^^ and sepdhcJconputer readabe 
prograni code means for causing^ said computecto con-': - 
trol acx;esses between the, s^ recipient By , . - 

verif^incj, an iccess nghif the Sjend'er with respect to . 
the recipient accx>rc|ihg to t^^ 

ticketV^so as^tb ^^^^ b^Btweein the V \ 

sender and tfje receivisr QoJhe^^ppmrnunication network. 
[0125] ,Ajso, jn this.a^ect of fhepresent inyention, the 
second conrputer, read.0ie . prcg 
causes s^id computer to authenticate "the personalized 
access ticket presented by the' sender, and refine a 
delivery of the email when the personalized access 
ticket presented by the se;nder has been altered. 
[01 26] Also, in this aspect jof the present invention, the 
personal ized access ticket is si gn ed by a secret key of a 
secure processing device vvhich issued the personal- 
ized access ticket, and the second computer readatsle . 
program code means causes said computer to authen- 
ticate the personalized access ticket by verifying a. sig- 
nature of the secure processing device in the 
personalized access ticket using a public key of the 
secure processing device. 

[01 27] Also, in this aspect of the present invention, the 
first computer readable program code means causes 
said corrputer to also receive the sender's identification 
presented by the sender along w^th the personalized 
access ticket, and the second computer readable pro- 
gram code means causes said computer to check 
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whether the sender's identification presented by the 
sender is contained in the personaliz^ access _ticket^ 
presented by the sender and refuse a delivery of the V 
email-wheh the ^end'er's identification iDreserted by^^^^^ ' 
sender is 'not cohtaihieid in the 'persbnaltee^ acce^ 
ticket presented by the^sender" '* ' \\\ ^^'^ 

[0128] ' Alsb. in this aspect' of }jie^^^ 
personalizkl access,' ticket ..alsp .contains ,aL"j/alid^^ 
period indicating > period for' y^iph^ 
access ticket Is vapgli^and the^^seco'rd'^^^ 
ble 'program "cod mearfs^cayses sai^^^ro 
check the validity per\q6 contained in'jH^fikrsfi^^^ ' 7; 
acc^ ticker present^ by^tfif s^nd^r.^nd 
delivery of the emal. When the^ p^r5pf)|ij2e$d';.ac^^^ 
ticket presented .by.'the sender _cpj^^^ 
period that hias already been^expired. , ^1 . * ,j [.. '^ ' '^^^ , 
[0129] Also, in this aspect of the present irWention/^^ 
second computer readable' program b nheans cSan' 
cause said* boiriputer to regisierin ^dyanbe the persori^^^ ^ 
alized access ticket containing an identif icatVon of a ^Se- 20 
cific user from which a delivery of emails to a specific ' 
registrant is to be refused as thQ.sender^sJdentrfication ... . 
and an identification of the' specific registrant as the ' 
recipient's identification, at the secure communication 
service device, and refuse a delivery of the email frorri 25' 
the sender when the personalized access ticket pre- 
sent^' by the' sender is registeri^ at the secure com- 
munication'service device in advance: . 
[0130] Also, in this aspect of th^ presentjhN/fentiorf, th^ 
secdhd' bomputer readable program bode niean's can 30 
cause said computer to delete the pefspnalized/access 
ticket^ registered at the7secu?e cdmmuhicatiori service 
device* upon' request from^ the specific registfant who 
registered the personalized access ticket: ' ^ " ' 
[0131] -'Also, in this asped of the present inverrtion. the 35 
personalized access ticket al6o dontaiiis a trarisfer con- 
trol flag indicating whether or not tiie sender should be 
authenticated by the secure communication iservice 
device, and when the transfer isohtrpl flag contained in 
the personalized access ticket indicates that the sender 40 
should be authenticated, the second computer readable 
program code means causes said computer to authen- 
ticate the sender's identification presented by the 
sender and refuse a delivery of the erhail vvhen an 
authentication of the sender*s identification fails. . 4S 
[01 32] Also, in this aspect of the present invention, the 
second computer readable program code means 
causes said computer to realize the authentication of 
the sender's identification by a challenge/resportse pro- 
cedure between the sender and the secure communica- so 
tion service device. 

[01 33] Also, in this aspect of the present invention, the 
sender's identification and the recipient's identification 
in the personalized access ticket can be given by anon- 
ymous identifications of the sender and the recipient, ss 
where an anonymous identification of each user con- 
tains at least one fragment of an official identification of 
each user by which each user is uniquely identifiable by 



a certificatipn authority, and the second conriputer read- 
able program cjQde>ne^ saicS^dCjompu- 
ter tp pi-Qbsibifi^iciljy^i^^^ an'Jdentity .of -the sender 
by r^jrjstru^^^ official identification of the. sender 
by jM^^Syggji^^ plurality of anony/nojjs identif ica- 

tioris oJ":W^r§e^^^ a pluralrty. of personal- 

ized acxiessjidj^te^ 

[0134X AISQ,.in this aspect of :ti:Te present iovention, an 
anonyrrjpuS; identif icge^^ t^t-.contains at 

, !ea$l..oae^fragrnf nt^c^ aq officiabid^nJif icatioo -of each 
use;^^y)wh4phfe?9ti usef,iS.uoiquely i^^n^f iable.by acer- 
tificaticp ai^hgrit^^^^^ jatprnriAtion fQf each anony- 
mou^s.idfr^jc^qn which;r;;:eae&.r anonymous 
idenjificatij^nvpan ura^ 

. the sencter'seidenttficaton and „th?; recipient'.s: identif ica- 
'tion.;n,the personalizedjacc^^ ticket caabe given by a 
link information pf-the.anpniTrrous identification, of the 
sender and a link Information of the anonymous identif ir 
catiorr of tlie recipient, and the second cornputer reada- 
ble program ccKJe^mi^ans can also cause said computer 
to probabilistically iderttify an identity of tiie sender by 
reconstruqting the pffidaL identification pf the sender tjy 
judging identity of a plurality of anonymous identifica- 
tion^ of the sender corresponding to the link lnforrnation 
cont.air;»ed in a plurality of personalized access-tickets, 
used by^tiieserider. . .. .. ^ - ^ . .. 

[0135] \^ jAIso. in this aspect of, tie. present invention, 
when the access right of, the sender with respect to tiie^ 
recipient is verified apcording -to the,; personalized 
acc^s ticKet the second computer readable program 
code ntea^ causiesjsaid computer to teke out the recip- 
ient's identification from the persqralized access ticket 
by using the sender's identification preserrted. by tiie, 
sender, convert the rpaij by using a taken out recipient's 
identification into a fbrrriat tiiatrCan be interpreted by a 
nnaiLtfansfer function, for actLially can-ying out ;a mail, 
delivery processing, and give the mail after-conversion 
to the mail transfer function by attaching the personal- 
ized apcess ticket. , : . . : . . - 
[01 36] According to another aspect of the preserrt. 
invention ttiere is provided a computer usable medium 
having computer .readable program code means 
embodied tiierein for causing a computer to function as 
a secure processing device for use in a comrnunication 
system realizing email access control, the computer 
readable program code means includes: first computer 
readable program code means for causing said compu- 
ter to. receive a request for a personalized access ticket, 
from a user; and second computer readable program 
code means for causing said cornputer to issue the per- 
sonalized access ticket containing a sender-s Identifica- 
tion and a recipient's identification in correspondence, 
which is signed by a secret key of the secure processing 
device. 

[0137] According to another aspect of tine present 
invention there is provided a computer usable, medium 
having computer readable program code means : 
embodied tiierein for causing a computer to function as . 
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a directory sel-vice devicer for use in a^cbrhmtinicati 
system" risalfting email access 'control, :thV computer 
readable program code means includ^iyr^f cbmput'er 
readable program code nrieans for causiii^^Wid'odri^^ 
ter to manage an idemificatlon of eacri^rfeBSt^^^ 
disclosed information of each 'registBfft^vifticfi'Tia^ a' 
lower secrecy than personal ' informatio^^^^^ 
which is accessible for search" by unspecified niany, And 
second computer: roaejable pfo^r£:rfr-cl^ mehhs '^or 
causing Gaid '<;ompijtar^t6'issud a personal i^^Kj* a(i6esij 
ticket corrtainihg-af'SGhdbf's-ideritific^idn-^^ 
ent's identiffcatiofi '1n cbW^jpbhdencer tb<iH^^ 
response 10 searbh-^ondifidns specif ied-fey^lfife 'Sferider,' 
by using ^artHdentihc^idh-bf< a Jregistr^rit'whose^^iis^ 
closed' infcfrn^tion^;matche(s*the Is^ch '' ^cofiidilibt is • • 
the::recipient!s^identificalJon and theTsendeF's IdentiSca-" 
t ion specif ied. by tiie ser^der dohg wftR' tfte s'MrcH* tiSi- ' 
ditions. * -r'^-:-^ : . ■ ^ :■ '.. " i j'^ ^-r.., : - 

[01 38] "Acbording to anofher* as^>^ciP'df thb preserit ' 
invention' there is provided k comiSLrtyr 'tisabii rhWiUrti 
having= computer' r^cfcitile "program* dbde ' rheart^ 
embodied therein for causing a c»m0uter to furi'c^ 
a certiftcatibh authority 'device for use in a conimdhic^-- 
tion sjf^envrealizing emiail ^cc^ cbntroi; tfieckir^ 
readable^program code means in'clud^: first con^uter 
readable program code means for causing' said corriRg^' 
ter to issufe to esfc+i user ah officiar'identilFication'df each' 
user by which each user^fs uniquely identifiable by the 
certification authority xJevice;- and' second cdmplitef' 
readable program code means for causing said cornpu- 
ter to issue to each SseV an anbhynnbusldbntificatfi^ 
eaclT'User which ebntains at feast one fragment' of the 
officialidentification. - v r' r ; t 

[0139] According 1o another aspecl of the "present 
inventidrf-there is provided a "cbniptrteV usable nhedium 
having computer readable prograrri code ' mfeains 
embodied therein for causing a conputer to function' as ' 
a certification authority device for use* in a communica- 
tion system realizing email access control, frie computer 
readable program code means includes: first computer 
readable pFogram code means for causing said cornpii- ' 
ter to issue to each user an* identification of each user; 
and second connputer readable prograni code means 
for causing said computer to issue to each user an ena- 
bler of the identification of each user indicating a right to 
change any personalized access ticket that contains the 
identification of each user as a holder identification, 
y^here the persnalized access ticket generally contains 
a sender's identification and a plurality of recipient's 
identifications in correspondence, and one of the 
sender's identification and the recipient's identifications 
is a holder identification. 

[0140] According to anotiier aspect of the present 
invention tfiere is provided a conputer usable medium 
having computer readable program code means 
embodied therein for causing a computer to function as 
a secure processing device for use in a communication 
system realizing email access control, tiie computer 
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readable program pode,.means includes; jfirst computer 
readable prpgfarn code means for cau§ir»g;Saicl corrpu- . 
ter^tp. receive fTom a userlta reque^,^^^ 
prob^ssfng qn^ acx^ess ticket containing , 

sender's identification and a.pluraljty of recipient's, iden- 
tif ications in coirespondencer wher^^ one pf .the ?ender!s - 
idefltifidatiM^'^^^ . " 

hol^Sr'fdentificy^ and secbnd cbipf) readable 
pro'grarif code^ 

^"cme-^lh^ pretscrib^ Rf;oCe?sihg dh^^^^^ . , 

access^jbkiet wh^Mh the kqider \ 

idefiMcd^pi5|"^6qrt^^^ f]^rjK>naIized , Recess, 

tickit itnd an en&bler cb^^^ the'hpidpr ideh 

tif icappn Whj^^^^^ indicates a rigj^ to chang4 the personal- 
ized'&bc^ssticfef 'coffee the 
user as the holder identrfi&atiipn: ' - *• * ^ ; • 

[01411 . Qjher f^Jyr^s anc^ ^dya^ages of Jhapresent ^ . 

invention wllY .b^cprn^ af^arent frdm t^^^ ^ 
^ description taken in* cpnjunpiibn'j^ tlie^accorrpanying 
'dravflnqs:^*^ '..'^^^^ " I'.ii^'^ ^ '-'rXr^. - . v 

BRIEF bESCRIPTrON'OF:TH6' DRAWINGS . . 

Fig, 1 is a diagram sHpw^^ overaUxonf iguration ; 
of a comrhunicatipnyii^e^i^accOT to the .first * 
enrriDodiment of the prese^ iriyenfcn/ . , : ^ : : 
Fig. ? is a diagram|^Awjng*exernplary^d 
tures' pf an^offfcial anonymous " 

|d4ntificatipn,^ a .1-;to:lJ personalized,. access^ 
tic^e( 'accorcfing tp^ the" tirst embodimem^.df . tfte 
present' ihveritipii. V\ .^. J- ^ 
Fig. 3 is a flow chart fpx an an^nymoL^ idenWication 
generation prdces^hg. at a pertif icatioi\T authority^:^ 
according to thjs firsrt embodiment^ of tfie present 
invention. \ " ... , . . / . ' , . 
Fig. 4 ib^ flow, chart for *3 personalized accessticket 
geheralion processing at ah ar}pnymous directory 
servifce according to the first ernbodiment,.of the 
present invention. ' . . ' . . , . 

Fig. 5 is a flow chart fpr a mail access control 
processing at ; a secure communication service 
according to. the first embodiment of the present 
invention." / . . 

Fig. 6 is a flow chart for an anonymous identification, 
identity judgerrient processing at a secure commu- 
nication service according to the first embodiment 
of the present iriventionl 

Rg. 7 is a diagram'showing exemplary data struc- 
tures of data used in the anonymous identification 
identity judgement processing of Fig. 6. 
Rg. 8 is a diagram showing exemplary data struc- 
tures of an official identification, an anonymous 
identification, and a 1*to-N personalized access 
ticket according to the second embodiment of the 
present invention. 

Fig. 9 is a diagram showing exemplary data struc- 
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tures of an anonyrnous identification and an ena^ 
bier according to the second ertjbo^ thfe. , 

present iiivfehtion. ;* 

Fig-, Js "a/'diagram.^,^^^ a/def inhjon . of a : 
prdbessihg cuie.;.(MakePAT); used^Jn. the^,^^^^ 
"embodtaent. Qf.ti^^^ present inyeritiph"^,,.. J, ; , .^.^ . . 
Fig. .11 isj a . diiagranri^^ sftpwTng af.def h^ion ; crfc^a^V- 
processi ng rule; , (MergePAT) used" in ,th^ - sepogd. J; | 
eiTibbdimerr^^ inyentionl, , ...^S 1 .^^ 3 

Fig. .12js .aV,diagram/^^ 

priplcessing rule , . (SpliiPAT),,. us^. , Jnr.the7 seqpnd^ .t^. 
kxTbodirnent of ttie.present inverjrtiprL^^ . .T.,, . 
ng;_ f? IS §i ^diagrannrsh9\ying |a^ 
processing , rule CtransPAp.^^u^ ijn jfie , sepqnicj^j;..^, 
enrt^imerrt of^th^^ >T'.nHiT?i?^ 
Rg : ^1 4 is .a Jit^\ ei^^npigry "system .c^^^^ • ^. , ^ 

that can" be; us^^ secoi^derribpdirnenit of^he.^i' 
present invention. 

Rg. 15 is a second exemplary system configuration^ 
that can fee uskj Yn erTt>bdj,ment of the ."^0 , 

present inV/efttioii: . .r T » • t - J. 

Fig.' 16 js a thlrd 'exem^ sy^em cprTfiguration i. [ 
that can be used in the secbrkl ennb'odlmerit of 'the ^ 
preserrt'inventibn:' _ . ' T . . 
Fig. 17 is a fourfh exenplafy systern configuration . Js 
tii^f can be iised in the second embbdirfierTt of )the . 
present invention. ^ ^ ' /' ' . , , 
Fj^.' IS is a fifth exemplary, system^ configuration 
that can be:used'in the^ of the ' 

present invention. . .'I.^. „ . . .30 , 

Fig*: 19 is; a sixth exemplary systern configuration- ^ ■ 
that can be usibd jn^the second eri^ of the ■ 

present invention; 1 - ^ ' .'. I,. 
Fig. 20 is alievenfti' exemplary $ystern cpnfigurar 
tion tliat'^cah be used, in.the second,enTbodimer^ 35 . 
the preserrt Invention,.' . " : . . .. ... . . . 

Rg. '21 is a flow chari showing an overall procesis- ' 
irig flow of'^'MakeRAT'^MergePAT pr JransPAT , 
processing,according to the second entecdiment 
the preserrt inverttion.; ^ _ . : . 40 

Rg. 22 is a flow chart showing.an qverall process^ 
ihg flow of SplitPAT processing according to the . 
second embodiment of the present invention. 
Rg. 23 is a flow chart for an anonymous identifica- 
tion list generation processing (for MakePAT, .45 
MergePAT, SplitPAT and TransPAT) according to the 
second embodiment of tiie present invention. 
Rg. 24 is an enabler authenticity verification 
processing (for MakePAT, MergePAT, SplitPAT and . 
TransPAT) according to the second embodiment of so 
the present invention. 

Rg. 25 is a diagram showing an exemplary data 
structure of Null-AID used in the third enrtbodiment 
of the present invention. 

Rg. 26 is a diagram showing an exemplary data 55 
structure of Enabler of Null-AID used in the third 
embodiment of the present invention. 
Rg. 27 is a diagrarn showing a first exemplary appli- 



cation of, the third embodiment of the p^sent inven- 
tion. ... »j ^y^-.. 

pjg..28. is-a diagram showing a. second exemplary 
. ^pjlQation-^o^^^ Ihird ,embpdiment:;Of -the present 
invention. 3,., 
,,Rg, 29:^1^ a. -digram .show^ an exemplary data 
.,structure,pt,Qod-AIDL^ in th!%;fourth embodi- 
ment of the present invention. : . ; 
pg, 30 is.a-diagrarp^sfjpywng^a f^^^ appli- 
^cption* of.j,tbe.rfcwrt^^ th.e present 

irivention. . , 

j.,Fig, g^;|s^^ (hs^gram st),awing,^ sj^c^rKl exemplary 
^apfjili^^ 

' invention. " ; ^. , .r.,^ ^ p r. . 

- ;f!9c:??oi^r#'t!P^ cl;iart- for, men^ 
idenjifi9^tiqr^,phe^ processing accorcling to. the 
fifth embodiment of the present, invjeptipn. : 
. Fig. . cl3. j|S;,a ^ diag^ranri showi ng an overall configura- 
tion, of %.-cbmnTuni<^tionsystemj^ to /the 
/Sixth embodiment of. ihe p^ • . 
^fpig. 34 is ^.diagram showing exemplary data struc- 
tures of an official identification, a -link information 
attached anonymous identification, and a link spec- 
ifying 1 rtp- 1 personalized access ticket according to 
the sixth embodiment of the present invention. : 
Fig. 35 is a flow chart for a link information attached 
anon>fmous jdentificatipn generation processingrat 
a., certification, authority according- to the,..sixth, 
'embodimer!toftiie.present invention. / - 
Fig. 36 Is a flow chart for a link specifying 1-to-l.i 
personalized- access ticket, generation processing 
at an anonymous directory service according to the 
sixth ernbodiment of the present inverrtion. ; 
Rg. 37 Is a flow chart-for a mail apcess control 
processing at a- secure .cpnrimunication .^ervice^ 
according to the stxfrv erribodiment of the present . 
invention. v .r !i r * 
,Fig. 38 is a-f tow chart for an anonymous identifica- 
tion identity judgement processing at a secure com- • 
munication ^ service according to- tiie : .sixth: 
embodiment of the present invention. 
Rg. 39 is a diagram showing exemplary data struc- 
tures of data used in the anonymous identification 
identity judgement processing of Fig. 38. . - 
Fig. 40 is a diagram showing exemplary data struc- 
tures of an official identification, a link information 
attached anonymous identification; and a link spec- 
ifying 1 -to-N personalized access ticket according 
to the seventh, embodiment of the present inven- 
tion. 

Rg. 41 is a diagram showing exemplary data struc- 
tures of a link information attached anonymous 
identrf rcation and an enabler according to the sev- 
enth embodiment of the present invention. 
Rg. 42 is a first exemplary system configuration . 
that can be used In the seventh embodiment of the 
present invention. _ 
Rg. 43 is a second exemplary system configuration. 
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that can be used in the seventh embajimerrt of tf»e 
present invention. 

Fig. 44 is a third "exemplary syste?^^ Configuration 
that can be ijsed Th'the sieventh emb'&ffmeftt'b^^^ 
present invention. 

Fig. 45 is a fourth exenplary iy'ste^^ 
that can be-ufeed in' frie seventh leffiibodlmenrtpf the 
present invention. • '-''"^ ■ ' '* ^' -^■'^ • 
Fig.^ 46' 'is a fifth 'exempiary -^^^ 
thaf'cari*t>e useia iiV aie se^^^nt^^ 
present invention. -nv^'Tn^^ on* 

Fig. 47 Ts -a ^ixth exemt^jai j s>sten? &fiifig6r^ion 
that can bV useU in'^ihS s^enth emb^dfrfie^df frie 
present invention. ncirr^^ vr^i 

Fig. 48-ns^a sevemh%xemplary ^^efti cortfigBrl- 
tibn that can-be used in the sev^hih^ehffccxjime^^^^ 
the present* iriventioii/ ' ^ ^^'^ rn ' :c:/. ^3 rir. 
Fig:. 4& fs a flow chaif for a-linl^'^ecifying^ 
moLis identification^ list^efteratfM jS^ 
MakePAT. - MergtePAT. ' SplM=5M • "and '* traftsPAT) 
according to the i&e«/6n1h •emBodiirient' bf 'tWe 
present iriventtoh. ^ - i *^ci - 

DETAILiED DESCRIPTION OF THE PREFERRED* 
EMBODIMENTS " '■ ^ • - -v/ \; 

[0143]" Referring now tc^ Fig. 'f to Fig."7r thie'^irst 
embodiment of tHie erhail access • control schenfe 
according to the present inventlorPwill'be described in 
detajl.-- ^* ^- ' ^ - ' 
[0144] 'The email access 'control- schimes df'the 
present irtVehtion enables^idft^iorial commuhidations 
between a sender and a redplem'-appirbpnately whi^ 
maintaining anonymity of a sender 'and a recipient on a 
communication network. Baskially, this is realized by 
disclosing- only informatibn ihdicafive of characteristic® 
of recipients in a state of concealing true identifiers of 
the recipients, and assigning^ limited access rigihts with 
respect. to those who wish' to carry oiit conrimijAiicatibns 
while maintaining-the anonymity according l6 the dis- 
closed information. ' ' "'^ 
[01 45] More specif ically, an Anonymous Identification 
(abbreviated hereafter as MD) that functions^ a role 
identifier in which a personal information is-concealed is 
assigned to a user, and this AID is disclosed on the net- 
work in combination with an information irKficative of 
characteristics of the user such as his/her interests, 
age, job, etc., wrhlch cannot be used In identifying the 
user on the network but which can be useful for a 
sender in judging whether or not it is worth communicat- 
ing with that user. " 

[0146] Also, the sender can search out a recipient with 
whom he/she wishes to communicate by reading or 
searching through the disclosed information. Namely, in 
the case where the sender wishes to communicate with 
a recipient while maintaining his/her own anonymity, the 
sender specifies the AID of that recipient and acquires a 
Personalized Access Ticket (abbreviated hereafter as 



PA"n.;^The PAT "contains the Albs of the sender and ..the 
recifDieht as well as informatiohVegardipg a transfer con- 
trol flag and a validity period..The trarisfer control ifiag is 
used Ifi order to determin4'w^ Secure Cpmmunj- 

5 cattdn Service (abbr^iated fiereaf^^ be 
described belqw^^c^fes'^^'ouf 'Itie^ au^ with 
res6efi td^rtg^iWrtd^. Na^'^ vJSi§nlft'&tra 
fla^fe^^di^^-th^ Sfe^'>^ 
such as sigr^ature'^^fMbaBbnW 

10 "'btfie'feriderita^tirrteSftfiS 

oth^'^haSa, wRert'AieT^^^ ^^;t^FF, tfie 

SCS will give the ddinhec^ corrii- 
murficalidrP'fi§tworl^taSA*i^ || &?h"necled, 

witl^Sut c^yih& out%^aaihenS^c^^^ 9^'^^v^o^ds. 

15 ' the transfer corrtrcfl'I^Tjsied^ 

not We 'AlD-^fe^ proji&iy tS^r to ^^bm it is 

alloaated liy ¥ CdrtifTCTfeh-^^Drit^^ 
after as CA). ^ ^ _ . .;!'?l'f ''^^ '^ ^!. 
{0147^*^ in ^e communic^ realizing the 

20 email kccesli cbiitrol scheriie of the pres^rrt jnyintion, 
the assignment of AIDs with r^pect to uiers, the niainr 
tenajifcjEf 'df^info combination Witfi 

AIDs, the issuance of PATs, and the err^i\ acceiss con'r 
trol based op PATs are realized jjy separate Voanizayt^ 

25 tions."This is becaiise 'it is rnpre convenient to realize,^ 
them by separate orgkhizatibns from a. perspective of^ 
maintaining the security of the entire ^network, .siace . 
security l^els to be Wahtained in relation t6 respl^ctiveT 
actionis are tirfferent. Note' however that, th^/rria^ 

30 nance of the disclosed iriforrnatipn andjfielssuariie pif 
PATs way be realized by'the s%me orgaqizatioa. , , 'SS. 
[0148]' ' Fig. 1 shbws overall bohfigui^tiQn of a cpmr 
munication system in this first emtodfm^nt, which , is; 
directed to the em^il ^eMce qn\nternet or Intrapet. ' 

35 [0149] ' In FlgT'i, "the CA (CTertKicaJipn Authority) 1 has^; 
a right to autiienticate an Official Ipiehljf icatibn ;(abbre>rt'^ 
ated. hereaWer 4^ OlD) th^ Identifies each indi\ijdual ^ 
and right to issue AIDs. and. Junctions .to generate 
AIDs from OlDs arid allocit^ AIDs to users 3: r 

40 [01 50] The SCS (Secure Communication Service). 5; 
judges whether or not to admit abonnection in response, 
to a connection request by ah email from a user 3. 
according to the PAT (Personalized Access Ticket) pre- 
sented from a user 3. The SCS 5 also rejects a'conhec- 

45 tion request by ari email according to a request from a 
user 3. The SCS 5 also judges the identity of 0!Ds 
according to a request frbm a'user 3. 
[0151] An Anonymous Directory Service (abbreviated 
hereafter as ADS) 7 is a database for managing the 

so AID, the transfer control flag value, the validity. period, 
value, and the disclosed information (such as interests, 
which can be regarded as requiring a lower secrecy 
compared with a personal information such as name, 
telephone number, and real email address) of each user 

55 3. The ADS 7 has a function to generate tiie PAT from 
the AID of a user 3 who presented search conditiors, 
the AID of a user 3 who has been registering tiie dis- 
closed information that matches the search conditions 
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in the ADS T.^the transfer control flag value given. from a, 
user 3 br 'administrators erf the ADSi and the ^validity 
period value givfeh from a uief'S or administratqrs olthe 
ADS, and then allocate the PAT to a user 3 who pre-" * 
sented the search conditions. s 
[0152] First, k s^rt^s^of profcesstr^'fr%T)*,g^^^^ 
the Alp from tile pID'according fo a regiie^^^^a^ 
untilkliocating the AID to that lisjr wiibelHe^ibj^,.. 
[01 53] Rg. ^"2 shows exerfpla^^^ pif tbe^piKt^ 

AID^ and the PAT As shown. inVpar^ l;^^^^ ^Qr^^ t^ie 
OlD isan iriforrnatipn cornpnsihaan^artaffr 
string accordrng to" ^ rule ty ' vsrfiicfi' the 'C^. Tl^n 
uniquel>f identify the^user ^nd a PubHg^ ^cg^rj^^ 
sigried by tHj^ CA 1 using a aeo-ef keyJoY fl^e J. fl; 
[01 54] Alsd. as shavri in a part (b) of Fig. 2. the Ajbls is 
an infornr>ation corpDrising fr^grnente ^ of .the .OlD and 
their position informabda redun 
and an^SCS in^rmation given by a^ aibitrary character 
string (host' name, real domain harne, jetc.) by vi^tch a 
host or a domain that IS operating the 20 
unicfuely: identified on. ttie network, which is signed by 
the CA 1 using the searet k^^ . . .^ v , 

[0155] Also,' a^ shown in a part (c) i^^ 
an Information comprising the transfer control flag. 
AID0. Aipi. and the validity period, w^iqh is signed by 25 
the ApS 7 using a secret key of the ADS 7., Here, the 
transfer cbhtrdi flag value Js defined to take 'either 0 or.1 . 
Also, the validity period is' defined by.any one orcbmbi- 
natibn of the nunriber of times for which the P)^f is avail- 
abler ihe' a£«olute tme ' (UtC) by"^^ which' the PAT 30 
becomes unavailable, the absolute time (UTC) by which 
the PAT bebomes available, and^the relative time,* (life- 
time) Since the PAT b^omef av^i|a6|e until it becomes 
unavailable. \ " .7 V. S / 

[01 56] Mote that, as wjlf b^ explained' in the subse- 35 
quent embodirrients described below, in addition to the 
1-to-1 PAT which sets one sender and one reclplerrt in 
con-espondence as described above. the present inven- 
tion can also use a. l-tb-Nl PAT whicH sets one sender 
and N recipients;, as well as a link specifying PAT which 40 
spedfies the AID by a link information that i's.cap'able of 
specifying the AID instead of specifying the AID itself in 
the PAT The link specifying PAT can be jeither a link 
specifying 1-to-1 PAT or a link specifying . 1 -to-N , PAT 
depending on the correspondence relationship between 45 
the sender and the recipients as described above. 
Namely, the PAT of the present invention can be given in 
four types: 1-to-1 PAT, 1-to-N PAT, link specifying 1-to-1 . 
PAT, and link specifying 1-to-N PAT 

[0157] Next, a procedure by which the user 3 requests so 
the AID to the CA 1 will be described. The user 3 gener-. 
ates a pair of a secret key and a public key. Then, the 
user 3 and the CA 1 carries out the bidirectional authen- 
tication using the 010 of the user 3 and the certificate of 
the CA 1 , and the user 3 transmits the public key to the ss 
CA 1 by arbitrary means. Here, there can be cases 
where communications between the user 3 and the CA 
1 are to be enaypted. 



[0158].. Next, a procedure by which the CA 1 issues the 
AID fo.the u^er 3 in-response to a request ,for th$iAID as 
describ^;above Wjl be described-cjiippn receiving the 
publipjldiy^frpm^^^^^ S.-the CA T^generates the AID. 
Theriplh^jS^ to*e us«r 3 by artDi- 

trany m^aj^ yRpn receiving tie Ajp.from the CA 1 , the 
user s. stP,r^tfie~receiyed:^A^^^^ into its storage device. 
He^,. tiiefje can^vbe- C!a_ses,;, where communications 
betwe^O the^ user 3^ arxi-thj iGA 1 aratp be .encrypted. . 
0 .101591 : .::biext,'^e AID:gerieration processing at the CA 
vvilliDe describ^&cywith reference to Fig. 3.. x^^.^ - 
[01 60h.^ d!rvth&^rocedure-of.:Figc3^iVthe CA^^^^ 
an Information of a lengthLdqual to thertotal length U of 
theyPjp.:^d^Gts-thJs ,in^ a-terrtative AID 

. (step ggl 1)nThen.- in prderto carry: out^the partial cop-. 
ying.of,tiie;^D[Prya!ijes.of parame;ters pj and /j for spec- 
ifying a copying region are determined using arbitrary 
means such as random number generation respectively : 
(step §9:13),. Here^fLis equal tqthetotal.length L of the 
Olb, and is an arbitrarily. defined yaiue within a.range 
in which p relationship of p ^ s L hplds.:Then,ran infor- 
rnation in a range .betweei;v;a position p, to a position Pjr. 
+ £1 frorn the top of the 0!D is copied to the sarne posi- 
tions )in the.tentative AID (step S915), .In ,other ^words, 
.friis -Qip fragment will be copies to a range between a 
position Pj and a position Pj +/j.from;the top:of the ten- 
tative AID. Then.-theyaluespfPi and are written intd-a 
prescribed range inthe.tentative^AID-Jnto which the OID 
has J?een partially copiixl.vin a>form encrypted.by an 
arbitrary nrieans (step S9;I7)., Then, an SCS information ' 
given by an arbitrary character string (host, name, real 
domain, etc.) ^that .can uniquely, identify a. host pr a 
donrrain that is : operating the S.GS 5 on the network Is 
written into a prescribed range in, the^ tentative AID into 
which these values-are written (step S91 9). Then, the 
tentative AID -into which the above character string is 
written is signed using a secret key of the CA 1 (step 

S921).. : . • y. .* 

[0161] Next, a procedure for registering the AID of. a 
user-B .3 and the disclosed information into the ADS 7 
will be described. First;, the bidirectional authenticatidn 
by arbitrary means using the AID of the user-B 3 and the 
certificate of the ADS 7 is canied out between the user- 
B 3 who is a registrant and the ADS 7. Then. the user-B 
3 transmits the transfer control flag value, the validity 
period value, and the disclosed information such as 
interests to the ADS 7. Then, the ADS 7 stores the 
transfer control flag value, the validity period value, and . 
the entire disclosed, information in relation to the AID of . 
the user-B 3 in its storage device. Here, there can be 
cases where communications between the user-B 3 
who is the registrant and the ADS 7 are to be encrypted. 
[0162] Next, a procedure by which a user-A 3 
searches through the disclosed information that is reg- 
istered in the ADS 7 will be described. First, the bidirec- 
tional, authentication by arbitrary means using the AID of 
the user-A 3 and the certificate of the ADS 7 is carried 
out between the user-A 3 who is a searcher and the 
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ADS 7. Then, the user-A 3 traterrtts ait)ilrary search 
conditions^ to the ADS 7. Then- the AOS 7 preislnts all 
the received search conditions to its storage'devicii' and 
extracts the AID of =a' registrant v^ich^saifisfies**WeW 
search conditions:^ Then, *the-*ADS 7 gehSrate^lrtet=»AT 5 
from the AID- of the user-A 3."the AID oPffii ra'gistrarit 
who satisfied^airthe search cbndrtiohs, the ti^^^^ ' 
trol flag value; and thervalidrty perioi'val^ Thish; the' \ 
ADS 7 trarismits' fr»e> generated 'PAT^fe ^e-aser-A'^^.-''*-^ 
Here, ^thsre can. vbe peases* .where - corlrtnlihicmioriS' - :ro 
between the user-A 3 who isa^jsearcheracie*ihfe 'ADS-7'^^ , 
are to be ertcrypted/'Note^Hat the l^to^l PAT^is gerjef- ^--^i 
ated as a searchrresulttrf tbe:ADS^7r : r^ '^o "Ci,i-rrici.-:: nn 

[0163] - Naxtfth^ t^td-T PAT ger1eration|ii^*e& 
the ADS 7 will be-describud whh reference fo Fig. 4: * " • 75 
[0164] : First, ah information of a-pf^esclto^dMehg^h'^^i^ 
generated, and this irifofniatidn Is s^-a^^aterftat'w^ PAT 
(step S1210). Theni'the AID of 4he' user-A who is a - 
searcherand th6=AID ofth6'user-B 3 wh6'is a registrarrt ; 
are;copied into a prescribed i^roh-of- frie tentative PAT' 20 
(step S1215)."Tfienf the-transfer cb^ value ana * ' 
the validity period vafue kre written irttOT'espectii^e pre-'"^ ^ 
scribed regions of the tentative PAT into which the AlD's ' ■ 
are copied^^(st^ S12-17); Then; the tentative PAT ifitd 
which these values are written is signed using a secret 25 
key otthe ADS^7 (st6p S1219). - * - ; " - - 
[01 65] . Next, the transfer control using ttie 1 -Xo-V PAT 
will be described. ■ The transfer coiTtnor li: a function for < 
limiting accesses to a lis'ef who* has a proper access ^ ' 
right from a- third person tb'wKom the "PAT has'bfeen' "30 
transferred or who 'has eavesdropped the PAT (a user 
whojoriginally does not-have the acc^s right)- - 
[0166] ■The ADS 7 and ihe user-B 3^of the registrant 
AID can prohibit a connection'tb ftie*usef-B 3 from a ■ 
third person who does not have the access right, by set- 35 
ting a certain value in to the%ahsfer conti'ol flag of-th6^-' 
PAT — "J - ! . r :* ' ■ ' " 

[01 67] When the transfer control flag value is set to be 
1, the sender's AID is authenticated between the SCS 5-^ 
and -: the - sender according • to' an arbitrary ' chal- -Uo 
lenge/response process, so that even if -the sender 
gives both the sender's AID and the PAT-to another user 
other than the sender, that another user will not t>e able 
to make. a connection to tine registrant of the ADS 7 
through tile SCS 5.. • ' 45 

[0168] On the other hand, when the transfer control • 
flag value is set to be 0. no challenge/response process 
will be carried out between the SCS 5 and the sender, 
so that if the sender gives botii the sender's AID and the 
PAT to another user other than the sender, that anotiier so 
user will also be. able to make a connection to the regis- 
trant of the ADS 7 through tiie SCS 5. 
[0169] Next the email access control metiiod at the 
SCS 5 will be described witii reference to Fig. 5. 
[0170] . The sender specifies "[sender's AID]@[real ss 
domain of SCS. of sender]" in From: line, and 
''[PAT]@[real domain of SCS of sender]" in To: line. 
[0171] : The SCS 5 acquires a mail received by an MTA 



(Message Transfer Agent) such" as JSfOtTP (Simple Mai! . 
Transfer; Prptbcql), and executes the. processing of Fig. 
5 as folloyvS; ' ' * , . , . . /j ... , . ^ ; 

(1) TT^p^signature of the PATjsye^^ using a pub- 
Hib »^y^^>ftfi^ '[ . r- \s 

^"^ty^lfi^^^ have.Jpeepi^altered . 

(stiSi.^31^^ is^discajilfed^and the. 

dt fessirig i$ ferrrniiated (step* S 141 6)7 / , ; - 
' ^ ! . ' , il^n^J^.^h^^^AT is feund tq,havel^ee^ abt'aJtered • 

'|st§p^*5t4'l5^]N^^^ feocessi,ng.(2) js 7 

^'^ecuted. L/r..'. ! ;'v,r.V.**'' 
^(2f ThV^^a^^^ pfeseoting ,the . 

senders ' AlB So' trte ' PAT '(^eps ^1 4'l 7\ .Sl4,t9, . 

' ■ ' Whe^'^n' Alb t^^^ the 
sendW'f ATD. js n<^"cpnyiried^^^^^ 
Sl4^ i^Oy, Xhi mail is discarded and, thi^p^^^ 
nr^^ i^ t^rr^ib^i^^^^ " " : " 

wHert^dn AID' that ODmpleiteJy matcfies with tfiie 
sender^s AID is, contained in the PAT j[ste^ Si 423 ^ . 
YES), the foil6wi[jg processing (3) Js executed. , " ^ , 

(3) ilhie validity period v^ue of the PAT is evaluated 
^(^s gl425^ \ 'P ..^^l-i • . '^--^f^ 

- V- =^ When^; the„ PAT is ^outside the valicfi^ period* 
(step SI 427 NO); the'mlil i^ discarded ;^pq( .the."!: 
pr6cessing~is termiriate>d (step"^1416). .; -' U^ 
' When the pAT is whhin Ihh validity peripd (step ^ 
S1427 YES).^tH6'folWing processing (41 i% exe-. .7 

(4) Whether or ^nc^^ siender^is" 
determined by refeiting tpjrtie cpnfrpi flag ,.. 
value of the PAT (st'ep^ Sr43i, Sl433). , : ' ' 

When the value is IJstep S1433 YES)., the^ ' 
chaileh^e/r^ponse autiientication" between., tti^; 
SCS 5 arid the sehbferls earned out, and the signa- ^ - 
ture^of thie sender 1s yerifjed (step Si 435). When 
tiie signature is \^icf, the recipient is specified and 
the PAT is attach^ (s^^ S'l 437)! When the signa- 
ture is ' invalid, "the mail is discarded and the 
processing is terminated (step S1416). 

' When tiie valtie js .0 (step S1433 NO), .the 
recipient is specified and the PAT is attached with- 
out executing tiie chajlenge/response authenticJa- 
tion (step Si 437). 

[0172] Next, an exemplary challenge/response 
authentication between the SCS 5 and the sender will 
be described. 

[0173] First, the SCS 5 generates an arbitrary infor- 
mation such as a tirhestamp. for example, and transmits 
the generated information to tiie sender. 
[0174] Then, the sender signs the received informa- 
tion using a secret key of the sender's AID and transmits 
it along with a public key of the sender's AID. 
[0175] The SCS 5 tiien verifies the signature of tiie 
received information using the public key of the sender's 
AID. When tiie signature is valid, the recipient is sped- 
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fied and the PAT is attached. When the signature is 
invalid, the mail' is discarded and the'processing is ter- 
minated. : 'y • ' -1 • ^' *- 

[0176] Next, a method for specifying the repipierrtlat . , 
the SeS 5 will be described. First. thWs^^ 
the search by presesntihg'^he serid^f'g'Afc^'tp tWPAT.'^io ^ 
as to acquire M ihe Albg whidfi 'S8'^ni|t,^a5rt^^ 
matchWe sehcfer's jf^fp; 'Alh'hlfe^ Wocipr^^ Affis )wilf b^^^^^^ 
defined as =ridpi6ht's:A[Ds>eT^^^ 
redpienti-AlDr'the^r^l doj^]^ 6f ;^^^^^'' r^ipre^ 
takeh out ffbrh'the^r^cTpiehflJ^^^^^ i^iJp^^\i^''l 
specified' iaa fofrhat df ^fC^i&^rif s AlDr<i|r(&kl'adrnain"'^^ 
of SCS oPrecip)entf;f^^ 

sender frbm-a forfnat p?f ' 
of SCS 6f sCTiderpto^aldi-A^^^ 
10177] - ' Rl©a,"S met^t^a^fep^ttdchi^^^^^ 
SCS 5MVbe -di^df^ feATjo 
an artitraf y pdsitioh In' trt^ ^r^i^ 
mail to/the ' f^f A^' ^^'er spfectfymg '^'the^^^^^ 
recipient and attaching* the PAT. " ' L . ' " " '20 

[01 78] Note that all the processings described aboVj^.' . J 
arethesimeinthe'cas^olthe 1-to-N J" * 

[017^] ' Kiext, a methtjd of recei^virig'' refusal^ 
respect to the PAT at the SCS 5 will bV'descnbed?^^ \^ ^ 
[0180] ^ Refeeivirig refusal setting: IJhe bid^ 
authentication is carried out by an arbitrary, means 
between the i^er and the SCS '5. Then, the user trans- 
mits a registration comiiiahd, his/her own AID. arid arbl- 
trary^-PATs to the SCS 5. Then, the SCS 5 verffies the 
signature 'of the received AID. If the signature \s invalid^ 
the prbcessing of the SCS 5 Is termlnati^. if the sign^-^ 
ture is valid,' the' SC^S 5 nfiirt verifies We ^sig^^^^ 
each recei ved PAT using a pubjib kly of the ADS. THose 
PATs with the invalid signa&i are discanded by" the 
SCS 5. When the signature is valid, the SCS 5 carries 
out the s^rch by presenting the receiV^ AID to each. 
PAT For each of those iPATs which dontainjhe AID that 
completely matches with ttie received AID.'the SCS 5 
presents the registration command and the PAT to the. 
storage device such that the PAT is registered into the* 
storage device. Those PATs which do not contain the 
AID that completely matches with the received AID are 
discarded by the SCS 5 without storing them into the 
storage device. Here, there can be cases where com- 
munications between the user and the SCS 5 are to be 
encrypted. 

[0181] Receiving refusal execution: The SCS 5 carries 
out the search by presenting the PAT to the storage 
device. When a PAT that completely matches the pre- 
sented PAT is registered in the storage device, the mail 
is discarded. When a PAT that completely matches the 
present PAT is not registered in the storage device, the 
mail is not discarded. 

[0182] Receiving refusal cancellation: The bidirec- 
tional authentication is carried out by an arbitrary 
means between the user and the SCS 5. Then, the user 
presents his/her own AID to the SCS 5. Then, the SCS 
5 verifies the signature of the received AID. If the signa- 



ture jsjnyalid. the, processing of. the SCS 5 is. termi- 
nate^.' If ihe signature is valid, the SCiS 5 nesctjprpsents 
the^pre^^nted Aib as a search condition to the storage 
devic'Carid^a^yire all the PATs .tha^ contain the pre- 
serrte^'i^jD^'^^^ PATs to 

the us6i^ Tfiea*the user selects all the PATs for which 
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the ^el^%ed.PAt§^.j^^^ to the 

SC^. ppo/i fl^^ all 

and 

alt ttf^^PATs received fr6iTi'"tfiie "use> io the: forage 
d®^iSfkSR9h that all ih^ rppeived PATs are.cjeleted from 
the feSif^ge device.''*'"' , 



[0183] Note that the method of receiving refusal with 
resp^ to^^e;,tr^OTN PAT at the SCS 5=is,the same as 
the W^i^ofi 'pi receiving refusal y/ith.respect to th3,:1 -to- 
1 PAf^described.a^^ v:; - : 

[0184f . Note aiso *e t^e case of returning of a mail 
frorp^the Mser-iB .to the, user-A^is the ^me as in the case 
of transmitting, a malLtrorn the user-A to the user-B.,. 
[0185]/,. . Next, the judgement of identit>' will . be 
describKj vyith rjeference to^j7ig. 6 and^Fig. J. . . /.^ 

XI) An jnH^ value.oj a variable QID^ Is defined as 
a bit sequence with a length equal to the total length 
L.oithep'lD-arKi all yalues equal to "O". Also, an ini- 
,tiar value of a variable OJDv is defined. as a bit : 
. sequence with a Length equal to the total length of - 
the,OI [>and^lLya^lues equal to "0" (step S25!1 1 ). 
(2) One AID is select^ trom a setpf processing tac- 
get,AIDs, and^.the following bit processing is carried 
out '(step S2513). . , - . - . > 

(a) . Values - of variables- AID^ -and - AIDv are... 
.determined according to the position inforrna- 

„ .'tion contained in:jthe AID (step S2515). Here. - 
AID|^ is def ined as .a bit sequence with a length • 
equal to. the total length L of .the OID, and a ^ 

. wvalue of a position at which the biD information 
is. defined is "r while a value of a position at 
which the OID information is not defined is "0" 
(see. Fig. 7). aIso. AIDy is defined. as a bit 
sequence with a length equal to the total length 
L of the OID and a value of a position at which 
the OID information is defined is an actual 
value of the OID information while a value of a 
position at which the OID information is not' 
defined Is 0 (see Fig. 7). 

(b) AND processing of OID^^ and AID^^ is car- . 
ried out and its result is substituted into a varia- 
ble OVR^^ (st^ S251 7). 

(c) AND processing of OVR^ and AID^ as well 
. as AND processing of OVR|^ and OID^ are 

carried out and their results are compared 
(step S2519). When they coincide. OR • 
processing of OID^ and AID^ is carried out 
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and - ite result is substituted-^ into' OID^;,^ (stfep 

while OR processing ?i.Pl^^|ni^ AIDy \^ 
is also carried out 'and its result is sobsisifited * 
into QIDm (step S2523). On tijiy^othe??^ 
when they db^'not cbiihcriie; the 'pr6ce^ pfi^^ ^ 's 
ceeds t6^the'step^S2525. ^''^ 
(d) An Alb to b^ J>rp6ess€Kil n%)!tjs5s!eled ^* 
from a sfeit of'pra 

teast oWej'*;^^^^^ dDnt*41ri^* in^^^ 

' the 'st^s'S2Si3'# |re exe|;U^J6 

ancrfhe> Alb; \^#n no'other AID Is jcorteined, jn^l^ 
- the'sSt-th'fe'ij^ 

" ie) '\/i[3ei ?)f'^5lbtrt' ahd' dlb^}'dre\bi^Lm 

(step S2527). vSO . 

[0186] ■ The valDe of Olbs/i'thartis ey^ 
indicates all pbsitioris of the OID fhformaflori that can b,e ^; ' 
recovered from the set of processing tarcjet Alb^: /ii^^^ \ 
the value of OlD^'that is eventSkli/ dbtefrr^ indicated' 
all the OID informatloH iHat can" recdverred frbrri the 
set of processing target AID/in oth^^r words? by uSjnfi 
the values' of-OIDM and 010^1 it is' possible to obtain tfiV ' ' 
OID albeit probabilistically when" the value of OfC)v is 
used as a search condition, and it is possble to quanti- 25 
tativiBly evaluatie a precision of the- above search* by a 
ratioOIDw/L with respect to tfie'totai length Lbf theOID. 
[0187] As describe aboverrh thisrf irst" eriTbrodiment, 
the 'CA V which is a Trusted^ Third Party with high 
secrecy and credibifrty generates^life AID in wvhidh the 30 
personal iftforrhation'is concealed. •ffbm=th€ OID that 
contairts^^ the highly secret pers6nar Infbrrriation' such as 
name, tel^hofie numberr rear email address, etc., 
according to a user request, and issues the AID to the 
user. By identifying the user by this AID on the commu- 3s 
nication network as well as in various serwces provided 
on the'GOmmunication network, t)ecorhes 'possible to 
provide tx)th' the anonymity guarantee and fte identity 
guarantee tor the user": In other words, it becomes pos- 
sible-for the user to communicate with another user 4o 
without revealing the own real name, telephone number, 
email address, etc., to that another user, and it also 
becomes possible to disclose the disclosed information 
to unspecified many through thd ADS 7 as will be 
described below. 45 
[0188] The user registers the disclosed information, 
that is an information which is supposed to have a low 
secrecy compared with the personal information at the 
ADS 7. In the case of searching the disclosed informa- 
tion and the registrant AID, tfie searcher presents the so 
AID of tiie searcher and arbitrary search conditions to 
the ADS 7. The ADS 7 tiien exti-acts the registrant AID 
that satisfies these search conditions, and generates 
the PAT from the AID of tiie searcher and the AID of the 
registrant who satisfied the search conditions, the trans- ss 
fer control flag value, and the validity period value. 
[0189] : In tiiis-1 -to-1 PAT, the transfer confrol flag value 
and the validity period value are set as shown a part (c) 
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of Fig. 2, and by setting up^this validity,-.pe.riod in 
advance, it is possit^ie to limit connections from .the 
sender. ^ ^ ...... . . , . > < 

I0l90j ^' It; if^^^^ from , 

a third pjsrson 'yvfep boes. rioiha^^^ right, by 

usiria^the^tTfins^^^^^ ttie 
fran,^er cbjTtrol |%g'*)©lue "is set -to be 1 , Jhe, sender's ^ 
Aip'ls atrth^^^^^ 5 and4he sender 

according to^an^^^^^ procejss,. . 

'so majt even'if 

and%p,^PATJ to flnjptber user other tfian.the,,sender^..m^^ 
anoth^r^y^er^^^^^^^^ abje^lo^ rnakeVa cpnnection to- 

the tegistf^nj^!^^^ 7jtl:)fbugh the S^ the 

other hand,.. wneai^^**^^^ ^contrpl^f lag yalue is ^ et to 
be 0, no cHaJlengeTOspp'nse pnocj^^s be carried out 
betweehttie SpSjiSand.^^ . 
gives botiithe.s^^^ 

oth^r tiian the M that another .user A^IKaiso be ^. 
to rftake a cohnecSoh to'th^! rjegisfrant'of^the-ADS 7 . 
fhrough the SCSSt . ^ , / ' V-^l^ r'; ' , 
[Ol^i]'" rt is alsb.|M>ssible to maKe a connection request i 
to the corTynunicaip^^^^^ I. ^ 

the recipient . is specified, by.-frie 1-tO;Tr PAT. wilL.be-! 
rec&yed by,^ti^^^ send^er^ AID^ j Iv 

defined wilhiri the PAT In additioni,.it is'also possibleibl, ;^ 
refuse Veceiving calls 1-to-1 PAT selected by. 1 ■ 

tiie r^ipierS anTorig calls w specified by the Ir-.. ' ^ 

to-1 >AT. If is aiso'^posfsibie tio rancel .the receiving/' - 'f- 
refusal of the^ calls whh'bi.e .Vto-1 PAt selected by ,ttie'^ - 
recipfent. Ih'additiph; as ^:m sehdfi, "^r* 

who fepeate the per^Qpa^^^ ysirig: a, plurality W 

sender%|Al6s%^akii^a^ ]■ J. 

it Is fk)ssible to judge ttie Kierrtj^ of the OICJ from these,— ' 
plurality of^sehdei-'sl^IDs ^nd '^ \^, possible to extract that ... 
OID at soHie probability ' f * ' . . , .^a ^ ^ 

[01 92] / Next, .with Vefgrences to Fig. 8 .te Fig. 24j the . z 
second .embbdiment of tbf email,' apcass control 
scheme according to the present inventiop .will' be - , '-^ 
described in detail. ,\ /* . T* . 1 

[0193] In'contrast* to the first emt>bdiment descri^^ 
above which is directed to the case,where a sender and 
a recipient are set in 1-^-1 conespondence, this sec- 
orrcl embodiment is directed to the case where a sender 
and recipients are set in 1 -to-N correspondence, and a 
generation of a new PAT and a content change of the 
existing PAT can be made, by the initiative of a user. 
Here, the sender is either a holder of the PAT or a mem- 
ber of tiie PAT. Similarly the recipient is either a holder 
of the PAT or a member of the PAT. 
[0194] In general, a membership of a group communi- 
cation (mailing list, etc.) is changing dynamically iso that 
it is necessary for a host of the group communication to 
manage information on a point of contact such as tele- 
phone number, email address, etc., of each member. In 
contrast, in the case where it is only possible to newly 
generate a 1-to-1 PAT as in the first embodiment, the 
management of a point of contact is difficult. For exam- 
ple, it is difficult to manage the group collectively and 
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even if it is gryen to. the others for the,purpose of the 
transfer controi! it doer riot function as an address of the 
group communication such as rnailing iist. 
[01 95] In this second e^rnbodiment, in order to, resolve 
such a problem; h is made possible to carry buft k gen- s 
eration of a new 1 -to-N, PAT ^d a content,ch\ange or the 
existirig f-tb-N PAT^by the inifialvebt'a user. ' ^' 
[0196] First, the definition of variOLS identifickions 
used in this second embodiment. will be. described with 
references to Fig. 8 and R^.' 9.- ' ' ■ i.^ - - - " 
[0197] As shown in a pa^„^(a) of-fip, 8..,the pID is an 
information comfiSsihg ari aifeitra^y character string {tel- 
ephone number, email addjess, etc.) according Jtp a rule 
by which the CA 1 can uniquely ideMfy the'user and a 
public key, which is signed, by the QA 1 . 15 
[01 98] Also, as shov*^ in a lakrt (b) of Fig . sV the AID Is 
an information compri&ng fra^ and^^.. 
their FHp^Hion'jnfbrnfia^ strin^s^ rl ! 

and an SCS irifbrma^tion gjiven by an artiitrar^^ 
string (host nam^, reial dornah name/,efcX6y which 
host'bi- dbniairi that is operating the SCS' 5 can^bV . ^ 
uniquely identified on the network, which is signed by " 
theCAI. , - . ' - V - : 

[0199] Also, as Shown in a 'pari (c) biP Fig. 8. the 1-to- 
N PAT is an information comprising two or more.AIDs. a 25 
holder index, the validity period, the transfer cbhtrol flag, 
and a PAT processing device identifier, .which Is signed 
using a secret key of the PAT processing device. 
[0200] ^ Here, one of the AIDs.is a holder AID of t^iis. . 
PAT. SyheTfe the ch^^ of the jriffprmation cpnl^rhedi^in 
the PAT such as an additibn of AID jo tfie PAT^ai deletioh ' ' . 
of a(D frpnri ,the PAX;a chihge qf^the yalSTitypenocI in".?, ' 
the PAT, a chahge bf the transfer control flag value in.the . 
PAT, etc.. can be made by presenting the holder AID 
and a corresponding Enabler to the PAT processing 35 
device. ' ' * ' ' 

[0201] On the other hand, the AIDs other thari the 
holder AID that are contained in the PAT are all rriember 
AIDS, where a change of the information contained in 
the PAT cannot be made even when the member AID 40 
and a corresponding Enabler are presented to the PAT 

processing device, , ' i 

[0202] * The holder index is a numerical data for identi- 
fying the holder AID, which is, defined to take. a value 1 
when the holder AID is a top AID in the AID list formed 45 
from the holder AID and the member Albs, a value 2 
when the holder AID is a second AID from the top of the 
AID list; or a value n when the holder AID is an n-th AID 
from the top of the AID list. 

[0203] The transfer bontrol flag value is defined to take so 
either 0 or 1 similariy as in the case of the 1 -to-1 PAT 
[0204] The holder AID is defined to be an AID which 
is written at a position of the holder index value in the 
AID list. The member AIDs are defined to be all the AIDs 
other than the holder AID. . 55 

[0205] The validity period is defined by any one or 
combination of the number of times for which the PAT is 
available, the absolute time (UTC) by which , the PAT 



becomes unavailable, the absolute time (UTC) by which 
the PAT becomes available, and the relative time (life- 
time) since the PAT becomes available- until it-becomes 
unavailable. 

[0206] Th^ jdeptff.ij|r of a PAT processing device (or a 
PATpfpcfissjjigjplije^ rietwprl^ is defined as a 

serial nuptier of the.PA^ i^rocessing device (or an dis- 
ting^ish^d^ nanie qf ^^^^^ on the 

network), the secrert key of the PAT prQcessing-„deyice 

. (or the PAT processing object on the network) is defined 
to be uniquely gprresponding tqthjg Klegj^ier:rj - 
[0207] Also, in this second ehkrodinient, an Enabler is 
intrc^yc^d 9^ an idepWei^cpri^^ponding t^^^ As 
shown in Fig. 9, the Enabler is an information compris-, 

^ing a character string uniquely indipating .friRt^it.is an 
Enabler and an AID itself, which is signed by the CA 1. 
[0208]. . the operations for a gene/ation of a new 
PAT and a content change of the, existing PAT will be 
described. Here, the following operations are defined at 
a secure PAT.processing,,deyiGe on the communication 
terrhinal or a PAT processingTobject on the CA pr on a 
network which is properly requested from the CA (which 
will also be; referred to as a PATprocessjng device here- 
after). ■ - — - . 

1. Editing of AID list: 

, . AJist.of AIDs (referred hereafter. as an AID list) 
contained in the PAT Is edrted using AIDs and Ena- 
bler. Else, the AID list Is newly generated. 

2. Setting of the validity period andtthe transfer con- 
troLflag: U „ \- . - : .^-r 

> Th^^ validity period value and the transfer con- 
trol flag yaiue contained in the PAT are changed 
using an AID' and .Enabler. Also, a new. vajidrty 
period value and a new transfer control flag value 
are set in the. newly generated Al D list. ... 

[0209] A user who presented the hdder AID and the 
Enabler con-esponding to this holder - AID to the. PAT 
processing device can edit the list of AIDs contained in 
the PAT. Jn this case, the following processing rules are 
used. 

(1) Generating a new PAT (MakePAT) (see Rg. 10): 
The AID list (ALIST<holder AID | member AID^ , 

member AID2, , member AIDn>) is 

newly generated, and the.validity period value and 
the transfer control flag value are set with respect to 
the generated ALIST 

AIDa +. AIDb + Enabler of AIDg + Enabler of 
AIDa 

^ ALIST<AIDa I AIDb> 

ALIST<A1Da I AIDb > + Enabler of AIDa 

+ validity period value 
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+'trarisfer control flag Value' ^ ;! ' ' . aLiST-c^^IDa 1 AIDg > > ALisT<oMDA f.AIDci. 

^RAr<AiDArAit)B> ' ■ ^ * ' . . _V ' - - " /' 

' " ' Ena&rer of AII^ t/Eriabfe^^ . /. 

(2) Merging: F*js(Merg§FWO ts^'B^ '' ^ ' "^'^ ' ' ^ V'X^"-^ • - ' ' • 

A plurality of ALISTs of liie sa^^^^ ' • • ; 

are rnerged and the validity periciii \4lu^ ^hd "tti'e ' \ ^ » > ^ \ ' . ^ - . . ; 

transfeVcontroiftagvialtjeafe setW ... u . ^u.:, i.. - - - 

merged AUISTV;^ "'t* ^*^^^b I'^D^/^^ X*' 

ALISl<Ai^ AID^ ^ig^f .r^^na^ t^jidity vaiiieT, . . / ; 

=^ ^Enabler of^lDf^ ^^'^-^'^.'^ -'^^ ^^^^^^--^ ^ 3n^5 ^ ^ pya>j\ip; fXlDci>Ate " ^ 

^ -AIDci, AlDo§; *. . V. . " ' ' ' valufe; intifder td f^^^^^ \. ! 

' ' ' • - X . ■ ■ - ' yalu^'bftly tbau^ 

ALI3T<:AIDa r AIDbY; ASbgg/ •'•^ '20 the tb'rris^ndihg Eriable'r, the follpwing 'jpF>W^ipn is .j ' 

'■ aiDq^*. aiDc^. .•.^.*^'.-^^^>- - ;^ "^"^yj- defifibd.;;;/;'^; '\"1,^^A7 " - ... 1, 

+ Enabler of AIDa + validity peric^' value ~ ' ' ' PAT<AIDa | AIDb >. + pnabler of AIDa . . . . . 

+ transfer control flag value 25 ^ Vi^liditjj period value ' ! !i; 1 

- ^ RAr<AIDA^ | Alb^. ^iDg^. • . vU . ^ FWVciAiDA j aIDb > ' ' " : ^ ' " ^ 5 *~ ' 

- ^ - - ^ ' I02lif In the p'p§^^ 

(3) 'SpIitting a PAT (SplitPAT) (see Fig: 12): : ; 30 flag\(^alue, 1h bliie^^^^ setting of tte„}^psf§r:* \ 

The ALIST is split into a plurality of ALISts' of confrSi fiag^Nalye'dnly to a,user who .ftoltl^.bofti the^/' ' 

the same holder^AID; ^the respebtive^'validity holdfi^r AID and thefcqrregiorWing EnaWer^ thKfoliowiri^ 

period value and transfer control 1lagp\^^ opef&tidn i^tiefinfed. ; " ^' * ; . ' . 1, ' :. - 
with respect to each one of the spft /O^^ - ' ^"^"^ ^ ■ ^: ^ .7^^^ V 

^ ^- - - ^ 35 - FViJ<^ibAl AIDB> + Enaibfer t' _ 

ALIST<AfDA" I A1DgV.' 'AlDB2;^ -v^ ^ ^ 

AIDpi, AIDc2. ••••••••> 4- transfer control flagVaJue " ' * , / . . / - - ' 

'^"^ +EnabliBrof AID^ ' • * ' " ^ - - - RATcAIDx | AIDg > ' ' ' • ■ ■" 

V > ->.'ALIST<AIDa I AIDbv AIDb^,'* i » . . . > [0212] Next. With references to Fig. 14 to Fig: 20/the. , 

overall system configuration of this second eibibodiment 

+ ALIST<AIDa I AIDci . AIDc2» • • • > will be described. In Fig. 14 to Fig. 20, the liser-A who. 

• - • * " ' . has AIDa anocated from the CA stores AIDa Ena- 

' ALIST<AIDa I AIDcv AIDc2. •*••••••> 45 bier of AIDa in a computer of the uiser-A, and the , 

' input/output devices such as floppy disk drive," CD-ROM 

+ Enabler of AIDa + validity period valiie drive, communication board, microphone, ^eaker, etc., 

*' ' * are connected. Else, AIDa and Enabler of AIDa are 

+ transfer control flag value stored in a communication terminal (telephone, cellular . 

50 phone, etc.) which has a storage device and a data 

/ -> PAT<AIDa I AIDci. AIDc2. ••••••••> input/output function. 

[0213] Similarly, the user-B who has AIDb allocated 

(4) Changing a holder of a PAT (TransPAT) (see Fig. from the CA stores AiDg and Enabler of AIDb '"^ a com- 
13): puter of the user-B, and the input/output devices such 

The holder AID of the ALIST is changed, and ss as floppy disk drive. CD-ROM drive, communication 

the validity period value and the transfer control flag board, microphone, speaker, etc., are connected. Else, 

value are set with respect to the changed ALIST AIDb and Enabler of AIDb a''© stored in a communica- 
tion terminal (telephone, cellular phone, etc.) which has 
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a storage device and a data input/output function. 
[021 4] In the fblldwin^, a procedure by which the user- 
A geherafes PAT<AIDa | AIDr >'will be 'described* ' 

(1) The user-Aj^ct^ires AIDb and Ehafile^ AIDb 5 
using any of the'ibilbvftring means: - - ' - 

'AiDg af^^fef^abfero^ 

ADS 7r and it is waited tintil th^'us6'r-A' a^Ofires 
them ai asearch rSsuft.{Fi5: T4^^^ io 

* AIDb and Enatpler of AIQb 5^6- '^ire^y tparisniirt- 
ted' to'tfie lis6r^A b)^the eniaiirsignalihg^ 

■ (fngs.i5.'i^'^'";^' - 

* AIDb and Enabler of ^ nriag- 
netic, opiic, or>lefcfr^6^^^ 75 
floppy *3isR -db-RbMr tJid;' IC carci,^ etd, and 
this medium is given to the iiseir-A. Elste. it is 

" waif^ until the user "acquires thern jiy Vea^ 
this medium (Figs. 17. 18). ' " ' 
AIDb Enabler of . Aipe are printed^on a 20 
' p^'er med|Lirn $uch as bboK harnelc^rd. etc.. 
; ' and this mklium is igiyen to the usefL-A. . Else." it 
is wafted until frie user- A acquire them by read|- 
irig this medium <Figs. 19, 20)? ' ^ J 

..... ' -V. . , y ' 25 

(2) the user-A"who has.^cid|uired;AIDB and Enabler 
of AJDb by any of the rheans desbribed in the 'above 
(1)' i&su^ thV MakePAT command" to the PAT 
processing device. Ttiis .pra^ure is comnipn to 
Rg: 14 to Fig. 20,,'and definj^ a^ foMows, . . ; 30 

(a) The user-A requests .the issuance of the 
; ^ MakePATcdmmand by^etting AID^, Enabier of 

AIDa, A^IDb; En^blet'of Apg, th'^Tvalidity period 
value, ^ the transfer control, flag yaluie into 35 
the'communication terminal of the user-^^ 

(b) The commuhicatioh terminal of the user-A 
genisrates the MakePAT comhiand. 

(c) The communication terminal of the user-A 
transmits the geh^ated MakePAT command to, 40 
the PAT processing device by means such as 
the email, signaling, etc. (the issuance of the 
MakePAT command). 

(d) The PAT pix>cessing device generates 
PAT<AIDa I AIDb > by processing the received 45 
MakePAT command according to. Fig. 21 -and 
Fig. 23. More specifically, this is done as fol- 
lows. ' . 

AIDa + AIDb + Enabler of AIDb + Enabler so 
of AIDa 

-> ALIST<AIDa I AIDb > . 

ALIST<AIDa I AIDb > + Enabler of AIDa ss 

+ validity period value + transfer control 
flag value 



. .^T^.(=yvr<AIDA|.AI^ ... . , 

(e) The PAT processing .device transmits, the 
. -generated PAT<AIDa | AIDb > to the communi- 

q'i V jpr^ df the user-A, or to the commu- 
nication terminal of the user-B according to the 
nejed. kpy means such; as the email, signaling, 

'^\etc.,. . i'-r^y \ 

fv,r(f^ ^The^^ terininaLof, the user-A 

- . ^^13 {PAp!^5 '^^r^^_^9G®^- '^'^^ PAf<AIDA I 

Ai6b > in the storage device of the comrnunica- 
JionJerminal of^the userrA... ... ' r 

[02fl] The merging of PAT^s (Merg^PAX^Fig. V^^ 

tt^S#Fi'J*!'?.S fr^X (SBlitPAX/ffiQ; X^^^ 23); and 
the chaxjgi'ngyOf a'PAT,(transi=*ATrFig. 21, 

Fig. 23) ar4 also carried put^by the^ similar procedure. 
[0215J.. , N^txt^,the.,procklure"of,^^^^ MergePAT 
and fransPAT will be described with reference to Rg. 

,(i ) The holder AIDjis specified (step S441 1). 

(2) .^^lfthe member AIDS are; specif ted (step S441 2). 

(3) The Alb list is generated from the specrfied 
holder AID and all the specif ied member AIDs (step 
S441 3). Morf -specif ically..the,specif ied hold^^^^ 
and all the specified member- AIDs are concate- 
nated using arbitrary means. 

(4) .. A tentative PAT is generated; , using arbitrary 
rfieans, similarly as in the, calse of, a tentative AID 

(StepS44;l4). ' - v,/ ^ /: V .;r ^ ^. 

(5) The generate Aiqitst^s coiDied to a prescribed 
region of the generated tentative RAT (step S4415). 

(6) ,1^(^ holder index.yal^^^ is written into the tenta: 
five pit to vyrhich tf;ie" AID Iist has been copied (step 

S44i6): 'y... . ':: ' 

(7) theVansfer control flag value Is written into the 
tei?tative .PAT into v^rtiich the holder index value has. 
been written (step S4417). * . 

(8) The validity period value is written into the tenta- 
tive PAT into which the transfer control flag value . 
has been written (step S4418). . . - 

(9) The PAT processing/device identifier is written 
into the tentative PAT into which the validity period 
value has been written (step S441 9). 

(10) The tentative PAT into which the PAT process- 
ing device identifier has been written is signed 
using the secret key of the PATrprocessing device 
(stepS4420). . . ' 

[0217] Next, the procedure of SpIitPAT will. be. 
described with reference to Fig. 22. : ■ ^ < 

(1) The holder AID is specrfied (step S451 1). 

(2) All the AIDs to be the member AIDs of the PATs 
after the splitting are specified (step S4512). ^ 

(3) The AID list is generated from the specified* 
holder AID and all the specified member AIDs (step 
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S4513}. More spedfically, the^specified holder AID 
and all the specified member AlDs are concate- 
nated using aititrary .means. ' 

(4) A tentative PAf is generated iisift|r'' arbitrary 
means, simllaffy ^s in the case of alefi^t^ AID 5 

(step S4514)"" - ■ ' : "^^V"'^*^-:^,;^^^ 

(5) The generated AID list is cc^kJ to k presbribed 
region of the generated tentative PAT (step:S^515). 

(6) The holder incfex valae • is vlr^err into the tenta- 
tive pat' to wfticft We l^lb'listKa^^ 10 

(7) The transfer contrdlfeg^feliie ll WitffirTi the 
tentative PAT into which the holder index value h^s 
been Wrfften^Step^Ssisi^ 

(8) The vaJibit/ p|H<^^^ >^rfteWthfc Wi^feiS^^^^ '^' is 
trve PAT into 'which the tr^n^fer 'dbritroFffeg'^v^^ "^■j;; 
has b^ri wi-itt^riX^^'s^^^ ' ^^.5''^ 

(9) The PAT'firdcessing de\nce'i8eh^^^^ 

into the tentative PAT rhtd 'whi'ch the validity 'period 
value has been written (step S451 9). -^o 

(10) The tentative PAT into which the PAT process- 
ing device identifier hai^' been' wfitteh' ii 'sigri^ 



using 1he"^ecre1 key of the PAT processing' cfevice 
^(step-S4520).' ' ^ - ■ '^^ ; ' " 

(1iy In the" case of. continuing the'sf)liffing i(step 25 
S4521 YES>, th^ procediiire retufn^ to (2); arid 
repeats (2) to (to) sequ^iitialiyr^^^ ^ • " 

[0218] * Note that, in trie pfdcedures^of Fig: 21 a'nd Fig. 
22, the AID list genWatibh is earned bLh'accorcfng^to 30 
Fig. 23 as follows. Namely, a buffer lengfth is deterrnihed 
first - (step-B461 1) *^nd a ^biiffer 1s" generated (step 
S4612). ^Theh. ihe holder AID is copied to a v&ant 
region of the generated buffer (steji StelS)' Then, the 
member AID is copied to a vacarrt"refi|lbrt of the resulting 35 
buffer (step S4614). and if the next member AID iexists 
(step S4615 YES), the step Si614i's repeated/ ' 
[0219] Next, the determination'of the holder AID will^ 
be desaibed. Each of the MakePAT; the MergePAT, the 
SplitPAT, and the TransPAT comnrands is defined to 40 
have two or more arguments, where AID. PAT. or Ena- 
bler can be specified as an argument. In this case, the 
PAT processing device specifieis the holder AID of the 
PAT to be outputted after executing each comrhand 
according to the following rules: 45 

* Case of the MakePAT: 

- For the MakePAT command, it Is defined that 
AIDs are to be specified for the first argument to the 

N-th argument (N = 2, 3, ) and Ena- so 

biers are to be specified for the N+1-th and subse- 
quent arguments. For example, they can be 
specified as follows. 

MakePAT AIDi. AID2, AIDn. 55 

Enabler of AID-,, Enabler of AID2, Enabler of 
" AID^, 



The PAT prqcessng device ihter^ the AID. 
* of the f irst argument' of the' MakePAT c^ as 
the holder AID. " - - ^ - 

^j^^ Qnly whf n one of .the .Enablers of the N+1-th 
and sikisequeht %gumer^^ to^^ AID 

of the first arguriieiit th'fe PAT processing device 
5r!T?£'!it^£^&^^^'&'''i**^?* iSjth^, Alb i^f the first argu- 
JjvB^ 9s%'c.fipi5^^^^^ be Houtputted 

after execirana th^ Makef^^ jc»mraand., 

F^AT^aretobe specif iadfor'th^efirsS the 
,N;th |rg.uqiegtJ[N,.^ ^j3, ? ^;^ ) and Ena- 

_6ler Js,^te;^6e^|fi^c^i^..^^^^^^^ N+Wh argument. 
^SianielyJ^ the^caa be as^foiiows... . J - 

'. "MergePAT FAT^ PATo >\ .\ • -PATk. Ena- 

bler^ofAD 



The , PAT processihg^ .device.^/i^e^^^ the 
Hoider AID bf Ihe^ PAT of t^^^^ the 
'MergePAT as-tiie Holder AID of |he PAT 

fo'be outptftted after exedjtjnp.the MergePAT com- 
mand. ' ' ' " ' it; - ^ 
Only when the Enatjler of th^ N+1 -th argument 
Mrresponds to thehojc^^^ AID of the PAT of the first 
lrgunrient,^flie PAT pVpcessing device specifies this 
Aip^(that js tRe'hqld^r AID of this:.PATjbf the fi^ 
argument) a# the ttol^r AID of t>ie iPAT to be but- 
putted after executing'flie MergePAT command. ' 
Case, of the SpIttPAT: . ^ ... . ^ 
; ^ For^the' Si^itPAT.com ii iSrClefined that 
PAT ig'tb be spedfiedfer^thje^first argument, a set of 
one or more AIDs. grbuf?ec?'tpg^^^ spme^pre- 
scribid sy.rnbbls"(a^ 

this exarhple) are to b^ sgeqifled for the second 
argumerit to .tfie N-th / ar^gu^ 3, 4, 

);";'ahd Enablet i^ to be. specified for 
the N+1-th argument, Narnely, they ,can be speci- 
fied a"s follows. - , 

SplitPAT PATi (Albii*) (AID21. AID22) 



(AIDni 
AID^m) Enabler of AID. 



AIDi 



'N2 • 



The PAT processing device interprets the 
holder AID of the PAT of the first argument of the 
SplitPAT command as the holder AID of the PAT to 
be outputted after executing the SplitPAT com- 
mand. 

Only when the Enabler of the N+1 -th argument 
corresponds to the holder AID of the PAT of the first 
. argument, the PAT processing device specifies this 
AID (that is the holder AID of the PAT of the first 
argument) as the holder AID of the PAT to be out- 
putted after executing the SplitPAT command. 
Case of the TransPAT: 

For the TransPAT command, it is defined that 
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PATs are to be specified for the first argument and 
the secxjnd argument, AID is to i:>e specified for the 
third argument, and Enablers are to be specified for 
the fourth argument and the fifth argument. Namely, 
they can be specified as follows. 5 

TransPAT PAT^ PAT2 AID Enablirbf AIDi^feha- 
bler of AID2 

The' PAT pfpcessing d^ce ihterprets,ih'e AID 10 
of the third argument as the hoider AID df^ Vie PAT 
to be outputted after executing the TransPAT com- 
mand provided that the AID of the third afrj^ahTient of 
the TransPAT command is contained, in^the PAT of 
the second argument. ^ L/f * ' ' is 

Only when th'e' Ehabler of the fourth argument 
con-esponds to both the PAT of thejirst.argument 
and the PAT of the-secorid argurherit and the Ena* 
bier of the fifth argument corresponds to tlie AID of - 
the tiiird argument, the. PAT processing device so 
specSifes' the* AID of the third argument ias" tKe 
holder AID of the PAT to be outputted after,execut- 
ing the TransPAT command. . * ' 

Next, the determination of the member AIDs 
will be described- The definitions of the MakePAT, 25 
the MergePAT the SpljtPAT and j^e TransPAT com- 
mards are as described above^ the PAT process- 
ing device specifies the member. AIDs of the PAT to 
be- outputted after executing each command 
according to the follcwirig rules. 30 
* Case of the MakePAT: 

"^"Only when the holdelrAID of the PAT tb be put: " 
putted after executing the MakePAT comrr^nd is ^ „ 
fbrrnally determined,' frie PAT processing device. ' 
interprets all the ^Alps of W secprid and 'subse- "35 
quent arguments' of the MakePAJ comrnand as. the " . 
member AIDs bf tiie PAT to be outputtW after exe- ' \ 
cuting the MakePAT command. 

The PAT processing device specifies only those . 
AIDs among all the AIDs of the secorid and subse- 40 
quent arguments which correspond to the Enablers 
specified by the N+1 -th and subsequent arguments 
as the member AIDs of the PAT to be outputted 
after executing the MakePAT command. 
*. Case of the MergePAT: 45 
Only when the holder AID of the PAT to be out- 
putted after executing the MergePAT command is 
formally determined, the PAT processing device 
specifies the member AIDs of all the PATs specified 
by the first to N-th arguments of the MergePAT as 50 
the member AIDs of the PAT to be outputted after 
executing the MergePAT command. 
Case of the SpIitPAT: 

Only when the holder AID of the PAT to be out- 
putted after executing the SplitPAT command is for^ 55 
mally determined, the PAT processing device 
specifies the member AID of the PAT specified by 
the first argument of the SplitPAT command as the 



member AID pf the. PAT to.be outputted. after- exe- 
,<irting the SpjitP^T^ command. At .this-f«5int, the 
ipemt) distributed into different PATs in 

unj^'^of parentibf ^ 0- For example, in the case of: 

^ "kpl8B^rnr7 PAT'IvJAID, 1). . ^ (AIDgi AID22) 

- • • ' t;^* • V ,(A>Dni ; AIDrsj2: * r • • 

- ,.vAID|sj^/i).Enfi±>!erofAip,. ; . 

lAlbii)V(AfD2i AiD^ and (AIDigi AIDn2 • 

AID^m) Will ,^^^.the..roeniber,A of . different, PATs hav- 
ing a;.q^mQp':fiad^^^^ . .... J^!7 ! 7 . - 

'Only when tiie holder Ai'D bf the PAT to be out- 
putted, aflt^r e^ecutirig. the JransPAT, cpmrpand is 
jprrf^lly deterrn^^^ processing device 

S(^'eciiFies^-a!I ;th^ AIDs remaining * after- 

excluding the n^ertfcer AID that is scheduled to be a 
new holder Xlb^frorri, all the member AIDs of the 
PAT specified by the first argument of the TransPAT 
command and the member AIDs of the PAT speci- 
f ie<^ by. the second argument as ,the^ member^ AIDs 
of the PAT to be^pu^puttjsd after .executing . the Trans- 
PAT command. ^ . '. \\. ■ ■■ 

[0220] Next, tile verification of the properness of the 
Enabler will be described. This verification of the prop- 
erness of tiie Enabler is common to the MakePAT. tiie 
MergePAT the SplitPAT arid tiie TransPAT, and carried 
out according to Fig. 24 as'foitows. 

(1) Aip,and"Enabler.are entered (step S55ri). / ■ 

(2) Each of these entered, AID and Enabler.^s veri- 
fied uang the public key of the CA 1 (step S5512). 
If at least one oitiiem is altered (step S551 3.YES), 
the processing is terminated. 

(3) A character sfring for certifying that it is Enabler 
is entered (step S5514). \ 

(4) The top field of the Enabler of the step S551 1 
and the character string of the step S551 4 are com- 
pareci (step S5515)! If they do not match (step 
S5516 NO), tfie processing is terminated. 

(5) If ttiey.rnatch (step S5516 YES), tiie AID of ttie 
step S5511 and the AID witiiin the Enabler are 

. compared (step S551 7). 

(6) A comparison result is outputted (step S5519). 

[0221] Next, with references to Fig. 25 to Fig. 28, the 
third embodiment of the email access corrtrol scheme 
according to the present invention wilt be described in 
detail. 

[0222] In the generation of a new PAT (MakePAT) and 
the PAT holder change (TransPAT) of tiie above 
described embodiment, it is necessary to give member 
AIDs and Enablers of member AIDs to the holder of tiie 
PAX but when tiiey are given to tiie holder, it becomes 
possible for that holder to participate the group commu- 
nications hosted by tiie other holders by using the 
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acquired memb^er AIDs. Namely, there arises a proWe^ ' 4 PAT<AlD^^oyer J AiPmembefBi .t Albn^^^2. 

that the pretefiding using' the mernber' Aids' bfecoiii^^ /. • • *\*, AIDmemberaM. AiPjn©mh0rt>i. 

possible. Moreover, if that holder pladejS 'tHe ' .AlDmomberba. • *' * * * * V' r AiPjnemberw>*-^ 

member AIDs and Enikblers oi merrtebf AtD^ "fin'^a ^' ' i.y, . ...J." . ... 

medium that is readable by unspecified rrany. these s (3) Splitting a PAT into piuraf PATs of the same 

member AIDs become, accessible to anybne'So that hqldeniSpIitF3^^T): ^ -.r 

there arises a problem"that the ^rassrfient to the users '-"^ ^ ■ " ' - ' ^ . t 

of the member AIDs may' occur arid'thexpretending PAT<AIDhoider I AIDrnembemi'. ' AIDn,embera2. 

using the member AIDS by a m^^^ : ^Vtn- . A^R^^-ba^a^A. AJ^^^ 

possible.- ^ V:.;^^^^ A'Pn^rni^;^^ 

[0223] Fdr this' reason; in'tllis ttiird en&Afir^^^^ p..,.,,,.r : >v.-r r- ^' ' ^ • . 

made possible to carry out the MakePA^IiSfcl:^^^ 'I ^^ 'I'^ tE^a^ . ~ ,^4': . ..7, ; - ^ 

PAT without giving the Enablers of meiTib^ef1i\1cJi ib%e i'^'l^?,'^'^^'"' ' . l 1- - - - V--- " ^ 

holder.- • - ; • . . ' -* ^iAT<AlDf^, I AID^^^^,, A.ip^eM.erB2. 

[0224]' To ffiis^'end/in ftiisthirdenibOT is ' . , , ^ ^/ * * .-AiPmorrtidraM.^" ^ irv^ • - ' 

eration of a n^w PAT arid' the cdnte'Hi diartgfe pf *' ' T ' / ...^ ^'„V " > -i^ ^ , \ ^ • 

existing PAT are carried out by usi"ng^^ulI->^^^ 1+^ "A'dlrneist^ibi'. AiPi^ef^^rt^.. 

and Enabfer of IsTuii-AID (Enabler of AIDn jfi).^ . ' ' ' ^ * • • . AfDjpemberbN > . - • - . 

[0225] Here, the processing' insto^ . r ' - r • - -v-^.^^^^^ , . : 

obeys all of the "follov^ihg rules: " ' ^ ' ^' .* \ . Qb^nS'hg W&plder AID of a RAT <transPAT): 

(a) -^'the processing rule® of Mak#^ 'PAT<Albholder f Alb^errierali :;-AiPrnembera2. 

SpiitPAT arid TransPAT as in'frie^ibove d^criB^ , . .• • • * AIDn^e^r^^fl i + PAT<AiPhoWer 

embodiment: and " " ^ ' ' " ' AiPnewho;der>.. . , ■ ' .X;^- ,u 

(b) therules applicabieonly totheNull-AID. include. 25 . J . ^ L ^ » 

; : ' *^ '^^ . ^- "^^ ' ' .'J ,1, . ' ;+ Enabl^r^ Ai4i;«^er t Enab^ 

' OtNuII-AID i&knowri'tb^ve'^^ ' '"i . -> ' PAT<AiPnowh^^ . Aipmlmb^nai.' 
00 Enabler erf 'Null-AlD [s taidwn tp'evfery User^^^ ' " AIDmembe'raS. " ^^ AlD^e„^l^raM>--v- 
[0226] Here, the processing rules as defined Jn the [0227] The method for specjifying theValidity -period 
above described embodiment' iri thiB case of this fiird value' andjhe trarisfer^'cdn fjeg value in.^the PAT con-, 
embodiment will be described." ' - * ' \ tainirtg the'Null-AIDJssimn^^^ 

^-/'^ ^' ' ' ' "^^^ y ^ng the >^lidity period value and the 

(1) Making a PAT from plural AlDs*(Mak€P^^ 35 \^ue jn fhe_^ec»nd er^^ abpv^. 

^ ! Nextr'the exemplary process 

' - All^hcrfder Albmemb^r?.^ will be described: ' '*"\ ; V • 

******** ^'.^rnemberN ^. - . v " , < '-^ 

• - ; \ * ' ' ' . (^) Case of producing PaT<AIDnuii I AIDa > from 

Enabler of Albriie^beH + Enabler of 40 AIDa and Enabler of AIPa:.. ' . 

AIDm;rnb8r^f+ • • ^ ' ' ' ^' V ; * '1 " . , . . . V 

' . ' / (a) According to the above described rules 

+ Enabler of AIDmembertM + Enabler of AIDhoider (b)(i) and (b)(ii) of the' Null- AID, AiDnuh and 

' ' - ■■■ Enabler of AID^juii are known.. 

-> PAT<AIDhober I AIDn^emberl". AID^^b^ra- '^^ ' (b) Using MakePAX . / 

* ■ AIDmQfyitjQifJ > • . . . 

AIDnuii + AIDa + Enabler of AIDa + Enabler 

(2) Merging plural PATs of the same holder (Merge- of AIDnuh 
PAT): 

so PAT<AID,^u„ I AIDa >. 

PAT<AIDholdor I AIDrriemberal. AIDmemberaS' 

* AIDmemberaM > (2) Case of producing PAT<AIDnuii I AIDa, AIDb > 

■ from PAT<AIDnuii | AIDa > and PATcAID^uii I AIDb 

+ PAT<AIDhoider I AIDmemberbl. AID„,emborb2» >: 
• AIDmemberbN > • 55 

(a) According to the above described rules 

- + Enabler of AIDhoWer (b)(i) and (b)(ii) of the Null-AID, AIDn^h and 

' Enabler of AIDmuh are known. 
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(b) Using MergePAT, . 



% EnaWer of Albi;^"^!! 



.1. .. . :^.FVSj<AlD^^4A^ 

(3) Case of producihff ;PAt<1A!d^^ 
TAT<:AjDNui,„t AIDa F^T^IDn^V I "AIDy > indV ^ ^' 
EnablerbfAiE^A:' * ^ 

• ' ^ (a); According to ^^e'abd^^ 

' ; (b)(i) ;a^ld ;(b)(ii) of Vie'i^^ ark-':y5 
' • ; 'Eriablerof AIDj^iuifare knownV"' * ' ''I' ' 
(b) UsingfT^^n^ ; ; ' ^' 



+ Inable/of Alb^uii +'EnabIer of^^AtDA ^ 



.30 
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[0228] As ?howh in Fig. 25, Jhe data ^fudure of the ; ^ . 
Null-AID comprises a character string uniquely indicat- 
ing that it is Null-AID (a character string defined by the 
CA. for example), which is signed by the CA using the 
secret key^ of the CA. . , . 30 

[0229] Also, as shown in Figr26. the data structure of 
the EnaWer of Null-AID comprises a character string 
uniquely indicating that it is Enabler (a character string 
defined by the CA, for exanrple) and the Null-AID itself, 
which is signed by thie CA using the secret key of the 35 

CA. 

[0230] ' Note that the NulI-AID and the EnalDler of Null- 
AID are maintained at secure PAT processing devices 
and secure PAT certification authority. . 
[0231] Next, the first exemplary application of this" third 40 
embodiment will be described with reference to Fig, 27, 
which indudes the following cperations. 

(1) The user-B (PAT member) generates PAT<AID- 

Nuii I AIDg > by executing the above described 4s 
exemplary processing (1) involving the . NulI-AID at 
the secure PAT processing device which is con- 
nected with the terminal of the user-B, and gives it 
to the user-A (PAT holder) by arbitrary means. 

(2) The user-A who received PAT<AIDnui, j AID^ > so 
carries out the following operations at the secure 
PAT processing device which is connected with the 
tisrminal of the user-A. 



(a) PAT<AIDmuj, I AIDa > is produced by execut- 
ing the above described exemplary processing 
(1) involving the Null-AID. 

(b) PAT<AIDa I AIDe > is produced by execut- 
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. . . . ing the above described exemplary processing 
r /(3^'jrWolyingthe^Null:Alb.^ • j ^ 

:X3)j';Ther user-A gives the. gerierated fAT<AIDA I 
AIDb > to the user-B by arbitrary.rneaos. 

[0232] Note that the jTiethod for determining the valid- 
ity perto^^ls^^^^^ it will 
not.fiejiep^ ^^^^^-P^^^^^^ involving the 
NuftAip^js^^^^ 

' not 5e repeated here! * ^' ' '^. .^J^^c-^-'^- • " ■ 
.(*n-^®.!??^^^t^>Ming :PAT^^ AlDg 

proce5^ng(2].ir^^ toe VuihAiDd^ in 

[023^],. 'N^irt.'ttjej^OT exemplary appljcation oj tiife 
third ennbodl^^eri^^n^ reference to 

Fig..28. vvtiich-indudes the.following pper^^^ 

(I). The u^er-BlFf^jilT^enn^ PAt<Aip- 
Nuii I Albg > by executing the above described, 
^e)cernplary processing j(1) involving .the Null-AID at 
^fbe. secure^.P^^ processing ,d which is con-, 
.nected with.the terminal of tiie user-^, and registers 
ft along, arbitrary disclosed irrfqrrnation at the^ ADS; 
12) The userrA-produces PAT<AIDnu,| |. AIDa.i> by 
executing the , above described exemplary process-, 
ing, (1) involving the Null-AID. at the securerPAT. 
processing device whicii is connected with theier- 
. - jninal of the user-A, and presents 4t along a't>itrary 
search conditions to the ADS. . ; - , 

(3) When the personal information of the user-B 
satisfies the search, condrtioris presented by the 
user-A, tiie secure. PAT processing device con- 
nected with tiie ADS carries out the following oper-.. 
ations. 

, (a) PAT <AIDmij, i AIDa, AIDg > is produced by 
executing the aboye described exemplary 
processing (2) involving the Null-AID. 
(b) The produced PAT<AIDmuii I.AIDa, AIDb > is 
given to the ADS. 

(4) The ADS gives PATcAID^u,, | AIDa, AIDg > pro- 
duced by the PAT processing device to the user-A. 

(5) The user-A who received PAT<AIDmuii I AIDa, 
AIDb > produces PAT<AIDa | AIDb > by executing 
the following TransPAT processing at the secure 
PAT processing device which is connected with the 
terminal of the user-A. 

PAT<:AIDnuii I AIDa > + PAT<AIDnuii I AIDa. 
AIDb> 

+ Enabler of AIDnuh + Enabler of AIDa 
^ PAT<AIDa I A!Db >. 
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[0235] Note that the method fer deterrrlJnin'g thes valid- 
ity period is the same as described above so thdt it will 
not be repeated here. Also, the processing involving the 
Null-AID is the same-as^ described abcfv^-'sb tSiaf it will 
not be repeated hefte.? " • . :^ - * ^'V cA < ^ 
[0236] In the case of generating PAT<AID^ | Aip^ > at , ^ 
the PAT processing device comecled wlth thfe AEiS." ' 
Enabler of AID^ will 'be given io Uiaf PAT-prcfcessing^^^^ 
device, and the above desicTibed iexeri tpkry processing ; ' 
(3) inrvolving fte-^iull^v^lD^Win be^S^cW^ 
tion (3) described above^ j ? i' ce r&f., ^ 

[0237] IntHe icase-df ^efierating P^<K^£];K\bf^ 
the PAT prbcessmg def ice cbniVected^^w "\ 
giving tt'to th^ ifsdr-BrEn^l^ri^ 

that PAT processing de>^ce! arid the ^jftjoye" dfeiSicrtb^^; 75 
exemplary prbcerssing <3) invoh^ihg the Nf^ll will^lSig'^,^* 
executed in the opefalfidn (3) desciibetf abo^fe/ 
[0238] Nekt, with referenced to Fi^/ is'to Fig: 3'i . the 
fourth embodiment of the email access control schenie 
according to the present inveWibri will be ^^aribed in so 
detail!';*-' ■*'•'' - - •'' ^"^ ^ '^"'^^ 
[0239] In the group commuhicafioh. a sjtdation^wh^re 
it is desired to fix the participants is'frequentl/ encoDn- 
tered, blrt' the" above described 'enTbodrrnerrt* does" not 
have a fuhctioh for rnaking it impossible to cferige the 2S 
PAT so^that the parta'pants cannot be^f ixed, Narnely. in 
the above described enibodlment, whether or hot to fix 
the pailicipants is left to th^ judgerh'ent' of the holder of 
the RAT ' * - - ' • \ " ' ; " - " 

[0240] • - For this reason, iri'this fourth enTbodiment; a 3o 
read only attribute is set up in the PAT More specFicaijy. 
in this fourfri enribodiment, tfie read ohiy attritiute is set 
up in tiie PAT by using Gotf-A[p (AIDq-qci). 
[0241] • Here, the processing inyolyihgthe God-^AID 
obeys all of the following rules: r ; • ^5 

(a) God-AID is known to every user, and 

(b) this processing involving God-AID is allowed 
only in the following* cases: * ' ■ 

■ ■ • '■" ' ' ■ " - 40 
Xi) a case where tHe AIDhoid^'r is neither AIDnuh 
nor AlDctod- ' " - " • 

PAT<AIDhoider I AIDr^emberi. AlDn^niberS. 

' • , AlDmemberN > + Enabler of 4S 

AIDhoider 

-> PAT<AIDgod I AIDhoWen AlDn^^^berl. 



(ii) a case where AIDhoider 's AID^u,,: 

PAT<AIDnu„ I AID^emberl. AID^mber2.. 
AIDmemberN > 

+ Enabler of AIDmuh 

PAT<AIDgod I AID^emberl. AlDmembGr2. 
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********* AIDj^Qnii^Qff^ > 

[0242] As shown in Fig. 29, the data structure of. the 
God-AID comprises a character string uniquely indicat- 
ing that it Is God-AID (a character^ string defined by the 
CA, for example), which is sighed by the CA using the 
secret key of the^CA,. The^God-AID is rnaintained at the 
secure PAT processThg device's anci the secure PAT cer- 
^ tificatip^ authority describ^ . ^, , 

'[02431 J'The .prdc^s^in'gs.^^ d'^PAT'that contauns-the 
Null- Alt) Ve according to Fig. 21 t6'Fig.^24.!when the 
holder AID is neither Null-AID nor God-AID, the God- 
AID [sj^pencJedJp the AjP^jist^anid.the liplder index 
^ valine is sp^tfiedlo pf.tfie'God^ in the 

AID list aft'er'appehdihg tf^^^^^^ the holder 

AID is Null-AID, the NuII-AlB is Mlefecjlrom,)^^^^ list, 
the God-AID is appended to the Alb list, 'and then the 
holder. index valueJs .specified, to be-a position of the 
God-AID in the AID list after appendin'g the Gpd-AID. 
[0244] Next, the exemplary application of this fourth 
embodime^ will be described .with reference to Fig. 30. 
[0245] In' the case of producing PAT<AIDGod | AID^^, 
AIDb > from PAT<AIDnu„ 1 AIDa > and PAT<AIDnuii | 
AIDb >, the following processing is executed at the 
secure PAT processing device which is ,gonnected^th 
the terminal of the PAT holder (Mser-A in Fig. 30) J v ^ . 



|1| U^nQ Mei^eF^ ; ^ ' ^ 

P^T<AIDnuII I.AID^> + FVvr<Aip^^^^ 

^ + Enabler of AIDmuh ■ : - -■• • r - ' ^ 7V. "^^r , 

' " 1^ RAr<^ldNu^^^^^ , . ^ ; 

(2) . According^ to the above described rule (a) of the> 
Gfij-AID. AiPeod is known. //^ 

(3) " According to the above d^scrbed rule <b)(iij of 
the God-AID, '\ \ "', ' 

PAT<AIDnuii I AJPa, AIDb >'+ En^ler of AIDnqi, 

PAT<AiPgod I AIDa, AIDb > . - 

[0246] The above processing is also executed at the 
secure PAT processing device connected with a compu- 
ter (search engine, ^tc.) of the third person (Fig. 31) or 
at the secure PAT certification authority. 
[0247] Next, with reference to Fig. 32, the fifth embod-. 
iment of the email access control scheme according to 
the present invention will be described in detail. 
[0248] When the Null-AID is added as described in the 
third embodiment, there arises a problem that it 
becomes possible for the holder of the PAT (the user of 
the holder AID) to transfer the access right with respect 
to the member (the user of the member AID) to the third 
person, and moreover this transfer can be done without 
a permission of the member, as will be described now. 
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(1) The holder-A of PAT<AIDa J AID^ > (for. the . 

member-B)-prdduces^ | AiDg > by lining 

•PAT<AIDa f AIDb >. AIDA/and Enabler df AID^ . 

Here, ft is assumed that the holder-A kribyy^ ali ot ;\ 

AIDa; Enabler of AIDa^, AIDnuii; Sahd Ehabl^i^^^ 

isiiiii in acWiti6n toMT<Al^^^ ^ ' i;' 

' (ay TTie hpjdV-AVrpdyQe^^^ Al PNuih ? • i 

> using the"; MalosPAT 

AIDa.+. ApNuii t-gpabler of 

(b) "Hie hoJderrA produces^ PAT<^IPnuIi J. A! Pb ^^c 

> using the TransPAX!^^^^ , . 

.+ Enabier of AIDa + Enabler of AIDj^'uii v 

After the alaove described pperation (t).(b). the 
holder-A gives FWicAIDNuj, | Aide > td the tfiird per-^ ; 
son-C. the foliowihg operation (2)' becomes pdssi- "' ' 

ble:;"';-'^. c .3 • ; ^ ^ ■ - 

{2)-TVie third'peri5'on-C prod PAT<AiPc ! A!Db >' 30 
by usiri^ PAT<AfDNuii ] AIDb >^H?/e, 8 fe assurned, . 
ttiat frie - third p^rson-C k^ov^ P* AIDc, Enabier " 
of Albc AIDnuuli artd Enkbler of AIDnuii in additio'n' 
to PAT<AIDnuii I AIDb >' ■ '\ ' ; . 

. * ■ ' '35 

(a) the thirci per'son-C produces' PAf<AiDNu() f 
' AIDc > using the MakePAT as follows.' ' ' 

; AlDi^uii V AIDg + Efiabler of AIDq.+ Ena- , 
•^ blerof AIDNuii' - ' ' ' : 40 

-> PAT<AlbNuii I AIDc 

(b) The third p^^rson-C produces PAT<AIDc | 
AIDb > using the TransPAT as follows. 45 

PAT<AIDnuii I AIDb > + PAT<AIDnu„ I AIDc 

' ' > 

■ + Enabier of AIDj^u,, + Enabier of AIDc 

-> PAT<AIDc I AIDb > 

[0249] As a result of the above desaibed operation 
(2)(b), the third person-C obtains PAT<AIDc I AIDb > so 55 
that accesses to the member-B become possible. 
[0250] For this reason, in this fifth embodiment, it is 
made impossible for the holder of PAT<AIDhoider I AID- 



member. 

> to produce PAT<AIDnu,| | AIDmenib©r > from this 
PAT<AlDhdd©r J A'Dmem^r >'as,l6n"g as.the liojder; does 
not knd^ pnja^ , 'I '^y 

[0251] In the third enrdDodimoit described above, in 
order ,^fpr^th,egf5^Tr^^^ PAT<AIDnui) | AID- 

member> wtj^uf-^^^^ Enabier A AID^ernber. it is neces- 
sary to prcxiuce*P>PJ<^^ . . 
[0252]. .^ 5P;^t*^>'S:efX^Jr^' t^^^^ for the 
Null-'i^i5 describ'iki in flie tttind-er^^ thefollow- 
. ing cuIeJS^^cWed ''V^^^ 'vr T ' ^. " 

* ^tbjejNijll-/^lD^h AID of 

Ihe PAt (the.NjJli-AID^canTO^^^ mem- 

• • AiPmemterN i^?'^ ; iS : a"pW,ed, , but 
1fAq:i>^l(^hc^^^ -AIDn^h, Aip^rnemterlj* Alpme^ 

>-.r:,.;v;..r.t,,.^iPmemt?©rN^isn^^^^ 
. / Each'ol the,secure,Pi^ processing devices and 
ihe secure PAT certification autiiority is additionally* 
quipped .with ^ a. function -for . chepkirig whether the 
NuII-^ID' is contained as the. member AID, or.not. 
this member processing is- .carried 

jpiif according to Fig. 32 as follows. . ,^ - 

' (1) Null-Afo and PAT are entered (step 36911 ).« 
^ (2) AJI the. member jAIDs are taken out, from the 
* . PAr ehtered.at the step S69t1,(step S6913). 

[- (3)\Each of the taken oirtmenrt 
. . pared- with^ the Null-AlD-.,errtered at the step 
\,^^S6dl1 (step'S69[15^^^ :\ \ ~ . - 

If alf the member AIDs do not conpletely match 
with the NullrAID-(step S6917 NO, st^p S6919 NO), 
;Bie processing proceeds to.the MergePAT, SpiitPAT 
or,;transPAT processing (Kg. 21 or Fig. 22) (step 

S6921). . ^ - ^/ . ; ** ' . . 

, if there is a member AIC) that completely 
matches with the r>iuH-AID (step S6917 YES),, the 
processing is terminated. - . * \ . 

[0253] Next, . with reference to Fig. 33 to Fig. 39, the 
sixth embodirnerrt of the email access controj.schenre 
according to the present invention will be described in 
detail. . 

[0254] This sixth embodiment differs from, the first 
embodiment described above in that a link information 
is added to the AID of Rg. 2 used in the first embodi- 
ment, as shown in a part (b) of Fig. 34, while a link infor- 
mation of the AID is set instead of the AID itself that is 
contained in.the 1-to-1 PAT of Fig. 2, as shown In a part 
(c) of Fig. 34. such that the AID is uniquely identified by 
the link information. 

[0255] Note that such an AID to which the link infor- 
mation is added will be refen-ed to as a link information 
attached AID, and a 1-to-1 PAT having the link iriforma- 
tion of the AID will be referred to as a link specifying 
to-1 PAT. Also, the link information is an information 
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capable of uniquely idehtrfying the AID, whrcti is given, 
by a kind bf data generally known as identifier such as a 
serial number uniquely assigned to the AID' by the' CA ' 
for example; - " * ■ ' ' ' • " ■ \' - ' ''"^[J'' ' ' ' ^ ' • 
[0256] Fig: 33 shows an dverair56||rfigtjfa 5 
communication system in this sixth, emtipijifti^!'^* ' * ' 
[0257] In Fig. 33: frie CA (Cetmicafioii Autf^ ba§ ^ ] I 
a right to authenticate 'OliSs ahd ^ righf t6;)^*^ Aips^.^"* 
and functionis to'allck^ile'AtDsTcJ oSeii ^ ['^ ]\ 
[0258] The SCS (Secure CommunicatiOif Sfer\Hbly^ ^'lo 
transfers emails arriong the users ^3, carries, out 1h|5 
receiving refusal "^ancf %'e M?Jenffiy ^jocf^i^'eln^" Jrj^ 
extraction ^dftheOi&ac&tdihg^^^ ''I' 
[0259] The ADS (Anonymous Director)^ Ser(/Si^ tlk 
a database ii6f managing ihe =;A!D, tlfe^franlifiif tfontrol is 
flag value/ the validity pericKa^iOe;.and thVjjisplc^ed 
information of eadh user3: The ADiSf 7 h^SrTCiHcfidn to 
generate the^PAV frdm the AID of a isearcher'and the 
AID of d registrant yvho satis^les'the isbard^ 
and issue it to the Searcher. • ' ' 20 

[0260] • A series of processing f rbrri'gehe/rktingL'thii Aft) 
from the OID ^cconiihg to a feqcie^ f^om a lis^r ilrf^I 
allocating the AID to that liser is basically thV Same' as 
in the first ernbodiment/eixiept that the iinS' fnformatibn 
is to be added, which will now be described with refer- 25 
enceto'Fig. 34*- " ' - ' \ : *! : \l 
[0261] Fig. 34 ihows exemplary forniat^ o^ t^^ 
the link infbrnTation'attacfiiBd AID; and'the link specifying 
1 -to-l PAT. As Shownln a part (a) of P\q. ^A\ tWe OID is 
an informkti'on comprisin^kri iarbitraVy character string 30 
according to a rule by which the CA I can uniquely iden- 
tify the user and a public key. which is signed by the CA 

[0262] ; Also, as shown iri a part (B) bf Fig. 34, the lirik 
irrform^on attached AID is jan information ^compri§ih 35 
fragments of the OID and "their position information, 
redundant character strings, an SCS information given 
by an arbitrary character string (host name, real' domain 
name, etc.) by which-a host or a domain that is operat- 
ing the SCS 5 can t>e uniquely identified on the network. 40 
and the link Information, which is signed by the CA 1 . 
[0263]' Also, as shown in a part -(c) of Fig.' 34. the link 
specifying 1-to-1 PAT is an iriformation connprising the ' 
transfer control flag, the link information of AID0, the link 
information of AID^, and the validity period, which is ' 4s 
signed- by the ADS 7 using a secret key of the ADS 7. 
[0264] " A procedure by which the user 3 requests the 
link information attadied AID to the CA 1 is the same as ' 
that of the first embodiment. A procedure by which the 
CA 1 issues the link information attached AID to the so 
user 3 in response to a request for the AID is also the 
same as that of the first embodiment. 
[0265] Next, the link information attached AID gener- 
ation processing at the CA will be described with refer- 
ence to Fig. 35. 55 
[0266] In the procedure of Fig. 35. the CA 1 generates 
an information of a length equal to the total lengtii L of 
the OID; and sets this information as a tentative AID 



(step S721I); Then* in order to can-y out'tt^e partial cop- 
ying ofthe Olp. values qif pararrieters Pi and £\ fpr spec- 
ifying a.cppying region are. determined usjnjg artoitraTy 
means s^ch^a$r^c^£)m number generationcespectively 
(step^S72i3y. H^eKe^'t equal'tpjhe tqtjal lengfth L of the 
OID. and i•^ is an afbitranly defined value withiri a range 
in whiclja relaflpnsbip^of q s jfj s^L Then, ari infor- 
matiorl iiV a^raWge-liet^^e?^^^^ a* p&rtlpri pj'to a position pj 
+ /j from the top oflWe OID is cpfiied'td'the same posi- 
^tions in^the terrtatiye AID (step S7215). In other words, 
this SIS fF^lgmem Jffililie defies to ;a ranjge between a 
position Pj and a position P| + frohl the to^ of the ten- 
tative AID. Then, the values qf Pj and i^^ are written into a 
prescribed range in thelenfefive AID into which the OID 
¥»as been parttal|y .gppied. in a fprrri encrypted by an 
arbifrarf rW^Mfe' ^step S/^tT^^^^ Therl,^6n^§CS' informa- 
tion given by an arBltrary chafact^r'^strihg' fho^^ name, 
real domain, etc.) that, can unigg^ly identify .a^host or a 
domain^ that*^is bper^ting frie SCS 5 dh the network is 
written into ^^prescribed range, Ir^ the tentative AID into 
which thesd values sVe Written (step 57219). Then, the 
link information is written (step S7220). Il?en. the tenta- 
tive AID into which tiie'above character string and tiie 
link information are written is signed using a secret key 
oftheCAl .(stepS7221). . .. 

[0267] N§k^ a procedure for registering tiie AID of. a 
user-B 3 and the'^disctosed.Jnfbri^^ the ADS 7 
will b^ deiscribediTirst. the bidirectional authentication 
tDy arbitrary means usingjl^e ^ip.o^ the,jjser-B 3 aiod the 
certificate pf the AC^SJ Fs carried out between tbe user^ 
B 3 who is'a registf|rS.a^^ the ADS 7*. Then, thi„user.:B 
3 trafismfts" the" transfer' cpntrol flag valuer the validity 
period value, and the disclosed information such as 
interests to the ADS 7. Then, the ADS 7 stores tiie 
transfer control fteg^ value, the validity period. valiJii, and 
the entire disclj^ed iriformation In relatiori 'to the AID of 
the user-B 3 in ife storage device." Here, there can be 
cases where communications between tiie user-B 3 
who is tiiie registrant and the ADS 7' are* to be encrypted. 
[0268] Next, a procedure by which a user-A 3 
searches through the disclosed information that is reg- 
istered in the ADS 7 will be described. First, the bidirec- 
tional authentication by arbitrary means, using the AID of 
the user-A 3 and the certificate of tiie ADS 7 is carried 
out between the user-A 3 who is a searcher and the 
ADS 7. Then, the user-A 3 transmits arbitrary search 
conditions to the ADS 7. then, the ADS 7 presents all 
the received search conditions to its storage device, and 
extracts tiie AID of a registrant which satisfies these 
search conditions. Then, the ADS 7 generates the link 
specifying 1-to-1 PAT from the link information of the 
AID of the user-A 3 and the link information of the AID of 
the registrant who satisfied the search conditions, the 
transfer control flag value, and the validity period value. 
Then, the ADS 7 transmits tiie generated PAT to the 
user-A 3. Here, there can be cases where communica- 
tions between the user-A 3 who is a searcher and the 
ADS 7 are to be encrypted. Note that tiie link specifying 
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1 -to-1 PAT is generated as a search result of the ADS 7. 
[0269] Next, the link specifying 1-to-1 PAT generation 
processing at the AbS 7 will bfe descriSki wi^^^^ refer:, 
ence to Fig! 36." ' ' ' ; ' . ; ^: 

[0270] Firstf an intormation of a'prescribedi;iehgft is 5 
generated, and this infbrmatibri is seFa^'a't^nt'atiVe'P^^^ 
(step S7510). Then, the link information of the AID.j^i:-^^ 
the user-A 3^who is a se^rich^^^ 
of the AID of thekjser-B S'who ls a reglsfifSnVSr'e bdpie^l"' 
into a prescribed /e^ion^ of the, tentative PAT X?lep io 
S7516)> Tiien/ the ti-ansfe^^^^ flatg- vafu^^^^^ the 

validity period value are ; written int^^^^^ 
scribed regions of the tentative PAT intdt whicK't^^^^ Mnk 
infof matiohs of the* AlDs are co^il|d (^ep^S^^ 
the tentative PAT into which ttese \^IU^^^^ 
signed usinQ^a secret key pt th^ ADS;V.(^^p %7519^^ 
[0271 ] -Nlext; the trarisf er control using the jink specify- 
ing i -to-l FAT will be de^rikjecJ: Th 
a function tor limitihg a'ccessei to" a user who h4s a 
proper access right from a third pei^oVi 'fo whom the PAT 
has been transferred or who has eavesdropped the PAT 
(a user wrfio originally 'does hot have tfie access, right). 
[0272] The ADS 7sfr^ the use'r-B^S of tfie registrant 
AID can prohibit a coinnectiort. fo ^the user^^^^ ifrbm a 
thind'person who does not have the afccess right, by set- 
ting a certain valuein to the transfer control flag of the 

RAT- "^V:" * ' - ' \ . 

[0273] „ When the transfer control flag Value is set to be 
1 , the sender's AID is'ajjthenti^ated betyifeeri.the.SCS 5 
and the -sender accbnding' tp ari_ arbitrary chal- 
lenge/response proc^,^ sp that ;eyeh if the sender 
gives both the sender's AID and tfie PAT tp^anothb'r user 
other than the sender, that another user'wlll nbf b§ able 
to make a connection to the registrant of the ADS 7 
through the SCS ; 
[0274] On the other hand, when the transfer control 
flag value is set to be 0. no challenge/response process 
will be carried out between the 'SCS 5 arid the sender, 
so that if the sender gives both the sender's A ID and the 
PAT to another user other, than the sender, that another 
user will also be able to make a connection to the regis- 
trant of the ADS 7 through the SCS 5. 
[0275] Next, the email access control method at the 
SCS 5 will be described with reference to Fig. 37. 
[0276] The sender specifies "[sender's AID]@[reaI 
domain of SCS of sender]" in From: line, • and 
"[PATlCg^Ireai domain of SCS of sender]" in To: line: 
[0277] The SCS 5 acquires a mail received by an MTA 
(Message Transfer Agent) such as SMTP (Simple Mail 
Transfer Protocol), and executes the processing of Fig. 
37 as follows. 

(1) The signature of the PAT is verified using a pub- 
lic key of the ADS 7 (step S771 3). 

When the PAT is found to have been altered 
(step S7715 YES), the mail is discarded and the 
processing is terminated (step S7716). 

When the PAT is found to have been not altered 



BNSDOCID: <EP 094e022A2J_> 



Jstep S7715;,NQ),.jthe following, preceding. (2) is 
executed. - - / ' T ;,^^^ . ..^ 

;(2).ThiB. search-is earned out. by presenting the link 
in^PrmatiOT to the PAT (steps 

Whe^-.4. J*nk inforrhatibn that , completely 
.rnatcfjes! wi"ti[i 'the*. y.nK.infbrrration^ the sender's 
^'AJD,]^ nd.corrtained in the PAT,j(kep:S7723 NO), 
"iiiV ,rnan js, discajjiied-aDd itha'prcHcessinp is termi- 

^.JfVfien - ab , irifc^rration^ that ,,cpmpletely . 

' jVi?ff^r^ 4 ^^9^ ■ j'^r.'Tiafioii bf the. sender's 

;;jfVJp|]s.Qgfri^^ YES)/the . 

^folJtDwih^ ,r ^ 

. i^l ,1iie,\i&iidi^* period value of"the PAf is evaluated 

;(St^?> S7725,'^^ J.; _ f ' ^ 

' ^ /WKen .the/pAt the .validity period 

(^ep S77;27 NO), the TO^^^^ is discarded "and the- ' 
processing is terrninated (step, S771 6). , : - , . 
20 ' When* the yaiidity period (step i - 

S7727 YES), the to^^^ (4) is exe- 

]cLited. . . --yl-'^r ' - - 

/4)^V5^Kether or, riot 'to authenticate the sender is . . 
^dgtecmined by referring to the transfer confrol fjag 
25 ^. lvalue of the.PAT (steps S7731, S7733). - ^ . . 

; ^ . ; Whe^ the^ value is 1 (step S7733 YES), the . 
SCS 5 acquires tine sender's AID tJse^ and the pub-, • 
tic key of, 'the senden's^AID by presenting, the link; 
iqforniation , to the. CA 4„ ancJ. then the chal- ^v 
30 . lenge/response authentication between the SCS 5 

and the sender is cahied put and the, signature of ■ 
the sender^ is yerified,(step 57735). When^the sig- j.; 
natuteis.valid, the recpient is specified and the PAT - 
is . attached (step S7737). . When .lhe« signature is 
35 InYalid, the mail is discarded and theprpcessing fcs 
terminated (step S7716).. ^ . ..." • 

When tiie value is 6 (step S7733 NO),, the 
recipient is specified and the PAT is attached with- ^ 
out exeojting the, challenge/response -authenticar 
40 ton (step_S7737). , . . T . . . 

[0278] ,The challenge/response authentication 
between the SCS 5 and the sender is the same as that 
for the 1 -to-1 PAT described above. 
45 [0279] Next, a method for specifying the recipient at 
the SCS 5 will be described. First, the SCS 5 can-ies out 
the search by presenting the link information of the 
sender's AID to the PAT. so as to acquire all the link - 
informations which do not completely match the link 
50 information of the sender's AID. Then, the search is car- . 
ried out by presenting all these acquired link informs- . 
tions to the CA 1 so as to acquire the AIDs. All these 
acquired AIDs will be defined as recipient's AIDs here- 
after. Then, for every recipient's AID. the real domain of 
55 SCS of recipient is taken out from the recipient's AID. 
Then, the recipient is specified in a format of "[recipi- 
ent's AID](g>[real domain of SCS of recipient]". Finally, 
the SCS 5 changes the sender from a format of 
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"[sender's- AID]T@[real domain of iSCS'of serKjer]"'t6 a 
format of "sender's AID". ' ; 

[0280] The method for attaching the PAT St fhre SC^S 5 
is the same as that for the 1 -to-l PAt:de^fcrp;^ i^^^ 
[0281 ] Next, a method of receiving ' "^^^ 

respect to the PAT at the SCS 5 will b^ dSscflSi^^^^ 
[0282] Receiving refusal seteri^^^^ 
authentication is ''carried out by '^i^ 'a^^^ 
between the jsei* ^nd th4' s6s '5r fh%) ^irte^U^er ^ 
mlts a registration command, hisyher'qwh'"Alb;^nd^ 
trary PATs to^the sbs 5?17id^^^^^ Oefmfes the 

signafare of th^ receiv^ Aipj^tf^ 
the processing of ttife SCS ff1s ternSinat^^ 
ture is valid. the,SGS'5;next verlffel^th^^^A^tu^^^ 
each re'ceiveid-PAl ' using a public keyjpf the X^^^ 
PATs with the invalid signature .are discgVded 
SCS 5. When thef sitjn'ature is'vali'd, the §cis out 
the link inifdrrh^tibh frbm "the received AID. and then 
ries out the search tiy presehting frie teilferi bfit iink irrfoi- 
matidri to each PAT-' 'For each* 6f those PATS'; w^^ 
contain the link information tfiat cbn^iletely nnktchfe 
with the link information of the received AID. the SCS 5 
presents' the' reg istratidri pomm^fxf ~and *the 'PAT 'fe the 
storage device s&ch that the PAT is registered, into ifli^^ 
storage device. Those PATs which do hot comaih the 
link ihfbrrha^on that completely matches'with" thejink 
inforrriation of 'the received AtD*^ are disbarded by the 
SCS' 5 without storing them inW tii^ stbir^^e dej>ice. 
Here, - there can be ''cas^s where * comrroirticiiibhs 
between tiie user and the SCS 5 We to be encrypted. 
[0283] -^Receiving refusal execiifibh: The' SCS ^carries 
out the search % presenting the'^^^F^T 'to ' tl^^^^^ 
device. When a PAT that completely 'm pre- 
sented PAT is registered in the storage device, the matil 
is discarded'. When a PAT that:"c6"mp(etery rnatchBS th6 
present PAT is not registered in tfie stora^ dei/ice, the 
mail is -not discarded. ' ■ 
[0284] * Receiving refusal' cancellation: The'^bidirec- 
tional authentication is' carried "out by an arbitrary 
means between the user and the SCS 5. Then^the user 
presents his/her own AID to the SCS 5. Then, the SCS 
5 verifies the sigrature of the received AID. If the signa- 
ture is Invalid, 'the processing of the SCS 5 is termi- 
nated. If the signature is valid, the SCS 5 neit takes out 
the link information from the presented AID, and 
preserrts the taken out link information as a search con- 
drtion to the storage device and acquire all the PATs that 
contain the presented link information, and then 
presents all the acquired RATs tb the user. Then, the 
user seiects all the PATs for which the receiving refusal 
is to be cancelled by referring to all the PATs presented 
from the SCS 5, and transmits all the selects PATs 
along with a deletion command to the SCS 5. Upon 
receiving the deletion command and all the PATs for 
which the receiving refusal is to be cancelled! the SCS 
5 presents the deletion command and all the PATs 
received from the user to the storage device, such that 
all the received PATs are deleted from the storage 



device. " ' \ 1 - • . / . - - 

[0285]/ Note ihat theniethod of re^ceiving refusal w;ith .. 
respect to the link specifying 1 -to-N PAT at th^ SCS 5 is. 
the same, as, the.^^^^^ receiving, *j;efusal with- 

respect ; toV the ; lii^t^* specifying . ,1-tOrj: Pjf^f : described^ 
above...''"''' 
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[02bB]|;;^_^ ;,Ne)rt^ the jjudgemeot, pt Identify- wilj , be 
desaifaed witli r^fer^^^ -\ 

^(p' Anjriitia!. y^fu^^ pf .a.yariabJe.,0]DMJs ciefined as: 
jbft sequ^^^^ toteUength . 

E'dfXlieldjt)^ equal tb rc:. Also, an ini- 

Wljv^lue^j^^ is dWfned a^s^a bit! 

.sequenci|'^^ of , 

ithe^OlSa^^ ^ir yaly es i^quaf t 5791 1). , , 

|;2)"pine"1jnV iH^^ 
ifrbm .a si^Jof prpqes^ing Tt^r^^^ 
attacWeid /^iDs, and.thg J^^^^ bit processing is 
'buried but (step S79'l$j\ . ' V, . V. V ' \ 

j[ determjQed accpr^ position, ipfor ma- • 

l ' tion.Qoritain^ jri^!^^ link informatictfi. attached 
' " Xitf (step S791'5). Here, AiPiJii js def inedt^S; a 
bit seiiuefice witi} a lengif^^ equal to ^the tcrtal , , 
len^'L of the OID and a value of a position at- . 
which the QID infprmatipn^is d^in^ed is^^^l^ 
; . while; a^valuelof a'jx)^ which jtHeip^^ 

jhf6rmati6n is^nbt.definecj i^^ 
^ Also;' Afpv Js' defined %s a bit sequence ji^^^ 
igigth equat to t^ length JL of the 616 and^l/ 
^ aA/dtue pf a ppsitibn^ which ^e pID infotmav 
''tion Is' defined js, an actuaf yafue, of. the Qip^. 
infornriatiori wrhile a value of a pbsitibn^at which 
the OID inforniation is nptxlefined isfi (s0^ JJig. - 

[ ■;>9).V^,.:'\ ^ '\ 

' (b) And prbc^^ is car- , 

ried oiit arid its resuK i$ substituted into a varia-^ . 

/ \ bieoyRM(st;epS79i7);; . ■ r 

' ^(c) AND processing of OVR^ and AID^ as well 
as AND processing of OVRM. ahd OIDm are,,, 
carried out and their results are. conpared 
(step S7919). VVhen they coincide, OR 
processing of 0\D^ and AID)^ is carried oiit 
and its result is substitutied into OIDi^ (step . 
S7921 ), while OR processing of OIDy and AIDy 
is also carried out arid its result is substituted 
into OIDm, (step S7923). On the other hand, 
when they do not coincide, the processing pro- 
ceeds to the step S7925. 
(d) A link information attached AID to be proc- 
essed next is selected.from a set of processing 
target link information attached AIDs. When at 
least one another link information attached AID 
is contained in the set. the steps S7913 to 
S7923 are executed for that another link infor- 
mation attached AID. When no other link infor- 
mation attached AID is contained in the set, the 
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processing proceeds to the step 37927^ 

(e) Values of OID^ and OICV are ouftjutted 

(stepS7927). • - • ; ' - " • 

[0287] The value of GID^ that is eventually' qftairt^''' s 
indicates all pt^tions of the Olff irttbrmation that can be. ' 
recovered from-the "set of processing tkf^i^tfeik irfe 
tion attached AIDs. Also. the^\aiue of 010^; tt^tj^^^ 
tually obtained indcatesall the'OID Infornl&tion that 
be recovered ffbm ihe'set of p^^ ferg^t iinklrrfbV- " "to 

mation attached 'AID; Irh ether wordsi^, b/ o^ir^^^ 
ues of OIDm ahd 'OlD^ ftws po&abie tb^obfef^^^^ 
albeit prolsabilistically When the ValUe'of OlA^ls o^ecf as - ' 
a search c6ndifibn.'-and it i% possibfe* tVquantrta^S^fely 
evaluate a precision of the above search by^-^a YaftV.', 
OID^^ vvith respect^o-the t lengtKl of theblo. ^'^I^': 
[0288]= Asdescribedatidvepinthiss^ 
the CA 1 which Is a TmstiK| Third ^rty with high' 
secrecy Sand credibility jgenerates the linJi iriforfrtetidh^^' ' 
attached AID in whidi the personaT infoFmatibn is con- 20 
cealed; from the OID that contains the highly sebretper-^ 
sonal information' such" as nanie! ter€i)hb"ne nUlTTber.^^ 
real-email iaiddress.^etc.V according to a user request! 
and issues the AID to the use?/ By' identifying the user 
by this AID on the comrnunidatibh network as well ak in Is 
various-services provided on the communication het- , 
work;^it becomes possible to provide both the anonymity 
guarantee and the identity guarantee for the tser In . 
other wbfds^ it becbnries possible for the user to'&himu- * ' ; 
nicate with another user Without revealing the ownS-eal '30 
name, telephone number, erhail address; etc. . to that ' 
anothernjser. and it also beconies possit^Ie 'to dfecio^^ 
the disclosed Information to unspecif ied many^hrbugh 
the ADS 7 as- will be 'described tjelow: ^ " • * " 
[0289] The 'user registers the disclosed info?^ 35 
that is an information whibh is supposed to tia^e a low 
secrecy compared witS the personal information at the. / 
ADS 7. In the case bf searching* the disclosed inforrria- 
tion and the registrant AID,' the searcher presents the ' 
link information attac*ied AID of the searcher and artji- 40 
trary search conditions to the ADS 7. The ADS 7 then 
extracts the registrant link information attached AID that 
satisfies these search conditions, and generates the link 
specifying 1-to-1 PAT from the link information of the 
AID of the searcher and the link information of the AID 45 
of the registrant who satisfied the search conditions, the 
transfer corrtrol flag value, and the validity period value. 
[0290] In this link specifying 1-to-1 PAT, the to-ansfer 
control flag value and tiie validity period value are set as 
shown a part (c) of Fig. 34, and by setting tip this validity 
period in advance, it is possible to limit connections from 
the sender. ' 

[0291] It is also possible to prohibit connections from 
a third person who does not have the access right, by 
using the transfer control flag value. Namely, when the 
transfer conti-ol flag value is set to be 1, the sender's 
AID is authenticated between the SCS 5 and the sender 
according to an arbitrary challenge/response process. 
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so tiiat even, if th^ s.^nder gives both the sender's AID 
and, th§ PA^ the* sender, that 

ancrther'user: w be able to make a connection to 
tiieVegistrant of the ADS 7 through the SCS 5. On the 
other hand, >vhen t^^ trarefer cprrtrol.f lag. value is set to 
be 0? nd^Cha^^^^ process will be. can-ied out 

between die'SCS 5 and thp>erider, so. that if the sender 
gives tjptii.the sender>.Aip arid the PAT to another user 
othefman the send^ liWr v^ni also be able 

to rake a.'&nrieibtibn to'^the r^^^^ ADS 7 

thrbughth^Scs's/'" -"'^^^ 

[0292] It is also pdssijileib r^ request -j 

to tfie cofTiPiunipajtipci netwqrk^ucbthat,^ which 
t^e >eQipie^^ 4ink .specifying 1 -to-l- 

PAT^^wSlt >e ; rece^^ the .^edpiem^^^ or the 

sender's XlD.s^ of the jink 

speci^^ng T^to^l/f^^^ it Is also pcesible to 

refuse receiving. calls with the link specifying l-to^l ,PAT - 
selecrted lDy. tipe f^^^ calis..which are sped- 

fied by tiie^Unk^p.ed^^ ft is also possible . . 

to cahc^l bei 'receiving ratj of .the, calls with the link . 
spedfyinp^1-to-1 P^^ by ttie recipient. In addi- 

tion; as a measure^ against the sender who repeate .the 
personal ptitack using a plurality of sender's AIDs by takv 
ing an advarrtage.of the anonymity, it is possible to judge 
the ide,ntity/of tlie OID from these, plurality of sender's 
AIDs aTd it is possible to extract that OiD at some prob- 
ability. . . . . . . - . .. 

[0293] ' rQext. with reference? to Fig. 40 to Fig. 49, the . r. 
.severitb , ,emtodiment. . of ^the . eniail -access ^control 
&herhe^accprding .to the. preserrt. inverition will be 
described in detaiJ. . . . ^ . - . 

[0294] ' In contrast to the sixth embodiment describe *- 
abovis whiph is directed to tiie case where a sender and- 
a reQipjerit are set in -1-to-1. corresponderice.,-tiiis sev- 
enth erfibjbdirnent is directed tb^the case where a sender : 
and recipients are set in 1^to-N con-espondence and a 
generation of a new link'specifylng. 1-tOrN:PAT and a : 
conterit'changeof the existingjink specifying 1 -to-N PAT. 
can be made by the initiative of a user, similarly as.rn the 
second embodinrient described above. Here, tiie sender 
is either a holder of tiie PAT or a member of the PAT. 
Similarly, the recipient is either a holder of the PAT or a 
member of the PAT . . . 

[0295] As described in the second embodiment, in 
general, a membership of a group communication (mail- 
ing list, etc.) is changing dynamically so that It is neces- 
sary for a host of the group communication to manage 
information on a point of contact such as telephone 
number, email address, etc., of each member. In con- 
frast. in the case where it is possible to newly generate 
a l-to-1 PAT as in the sixth embodiment, the manage- 
ment of a point of contact is difficult. For example, it is 
difficult to manage the group collectively and even if it is 
given to tiie others for the purpose of the transfer con- 
trol, it does not function as an address of the group com- 
munication such as mailing list. 
[0296] In this seventh embodiment, in order to resolve 
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such a problem, it is made pos^ble to carry piift a gWi: * 
eration of a hew link specifying 1 -I0-N PAT and a a)rrtent 
change or the existing link specifying 1;td-^ PAT by^tHe ' 
initiative of a i^er. • ^ - - • ^ .. ? \ 

[0297] First, the definition' of. vaj-io^gjidgrigUg^ior^ s 
used in this seventh eh*|ddjnient winjb§'4e^r^ed.v^^ 
references to Fig. 40.ahd Figr41 . . "* ' . ^ ' ^ 
[0298] As shc^ in a'fkrj;^^^^^ tl^pliPgfj^gjg,-.'.^ 
infornriatipn com^hslnig^^^^ 

ephone hunfibeh'eniM Mdress.' etc.) ad^wiing ^aa.ruj^ .^^ 
by which the CA 1 can uniquely identify Ihe'^user and,Q^^ 
public key. Which is ^fieS^Hy'the^Vr"^ ^^'^ ^^^-^^ 
[02S9] '■■^ Al50.^asfshotfk#iiira^ 
information^Stffch€Kj Kfb ^fS'aW ihferftaSSn^coH^^ 
fragments of''1h§-tMD( ^rid'tWar'pi^^^ 
redundant characier's^ringrs;' eih SeSjnfO'rm|t^^^ 
by ah arbitrary character strillg^^Hdst narfte. r^^l ctemanp^"^ 
name, etc/) by whidh'a host'cradorhairtitheS oper^t- " ; 
ing the SOS'S can be unrgueiy fdeniif ied on tJ^^ 
and a link infomniation, which fe signed by th6 'C^ f. Note 
that the AID' may be encrin^ted at th^ SC^ 
1 . The link i nformatibn i s the same as in* ttier- sixth ' ^ 
embodiment. ' " - . r. - - ^ 

[0300] Also, as shown iii a part<c) oVFig. iO^ the link 
spedfy'mg '^-to-N PAT is an inforrhatrbn conprising two 25 
or nhore link inforrnatiorijs of Albs, a holder index, the 
validity " period; the transfer" ccMitrol ilag, £m PAT ' 
processing device Identifier, which is signed using a,^^ 
secret key of the PAT processing device. ' //^^ ^ J "\. 
[0301 ] Here;- one of thellnk ihformatibh^ of AlBs is the ^ 'sp 
link information of the holder AID of this PAT, 'where th^_ 
change of the information contained in the PAT such as ' * ' 
an addition of the lihk inforrration ' of AID 'to th6 PAT,' a ' 
deletion of the^link information of AID frorn fh^ PAT, k ' ; 
change of the validity period iri the PAT a chanjge of thei 
transfer control flag value iri^the IW, etc;', c^h b6 rhade 
by presenting the link'informatioVi of theliblder AID knd 
a corresponding Enatiler to the PATprocessin^TJeyice.' 
[0302] *■ On the other hand; the link iriforhiatiohs of AI DS 
other than the link information of the hoIder AID that are 
contained In the PAT are all link information of mernber 
AIDS, where a change of the information contained In 
the PAT cannot be nnade even when the link infornriatibn 
of the member AID and a corresponding Enkbler are 
presented to the PAT processing device. ' 
[0303]* The holder index is a numerical data for identi- 
fying the link information of the holder AID, which is 
defined to take a value 1 when the link information of the 
holder AID is a top link information of AID in the link 
specifying AID list formed from the link information of 
the holder AID and the link informations of the member 
AIDs. -a value 2 when the link information of tiie holder 
AID is a second link information of AID from the top of 
the link specifying AID list, or a value n when the link 
information of the holder AID is an n-th link information 
of AID from the top of the link specifying AID list. 
[0304] The transfer control flag value is defined to take 
either 0 or 1 similarly as in the case of the link specifying 
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1-to-i PAT . ' . ^ ■ ' . ' . 

[0305] The link iniformation of tiie hotder;^Q Js defined 
to be a link information of AID which is written at a posi- 
tion of theJiplder^Jnd^^^^ in the link specifying . AID, 
list.; JbgJ. linl^ ^SPPj^PPSjof ;the-memt>^ are 
def (n^^^^^ij^^ AIDs. other than 

thejyj(j|hjprn^tip^ ' - . " ' . 

[03p|y,^^7|^^ or 
, jconiSp^jp^ ,QyiT^ pumbB^^^^ PAT.is 
avajjgble^ifj^k:^ by!jwhk;ht4he PAT 

becopipi^wr^ time (UTjp) l?y. which 

]i^^&§99nj^3ys^^ r.eiafjye/tKne (Iffe- 

[0307] -,Tta^^,ide,qti^i^.qt^ fM,^Qf^s^pg,6eii^{oiB. 
PAT^r^^'e^pa.0^^^ tt}ej}eNg¥^^J^S!^jn^ as'a 
seriil^jgp'^er of PATvPW^es^ an dis- 

tinguish^" 'narhejC)f tiie PAT prpcessifig object- pn, the 
netwpck) . .Tti^. secret key. of the pAT processing: device 
(or tiif PAT pipce^sing pbject on tfie,netwprk)*isdef ined 
to bepn!q^ely;.p9^^^ to.theJdentifierf r, ^ 

[03001 Alsojn this second ernt?odirn6nt7.an£naiyerjs 
introd^Jceycl ^sVn W the AID. As 

^hown jo .Fig/41 , the^Enabler is an iritomation compris - 
ing a ,cHarapter string, uniquel]^ tridicating that it^ ^n 
Enatiler ^ncf a link information attached AID itseff^twhich 
issigne^ bytheCAl,' - 
[0309] J.'.Np^t, the operajions^r a generation of ja jnew, 
.PAT and! a ^content' change of the e^stingifAT v/iil. be 
described^ Viere; ttie.foilowjng operations are d^jned at 
a se^i^re t^^T.p'rocessing device^pa thp>compriunicatipnc 
terminal or *a PAX probes object on tfieOAtor on a 
network which is properly requested from.the^CA (which 
will also t>e referred to as a F*At processing device here- 
after). Jrtese operations are similar to those of th^ec- 
ond embodiment described abov;e so- tiiat tiiey vviir t)e 
described by .refen-ingj to: Fig..- 10 to Fig. 13 Ixrt it is 
assumed ttiat e^ch occurrence of AID in Fig. 1 p to Fig. 
13 should be replaced by,the linK information of AID In 
the following. - . . 

1 . Editing of link specifying AID list: 

A link specifying AID list, which is a list of link 
informations of AIDs contained in the PAT, is edited 
using link information, attached AIDs and Enabler. 
Else, the link specifying AID list is newly generated. 

2. Setting of tiie validity period and the transfer con- 
trol flag: 

The validity period value and the ti*ansfer con- 
ti-ol flag value contained in the PAT are changed 
using a link information attached AID and Enabler. 
Also, a new validity period value and a new transfer 
control flag value are set in the newly generated link 
specifying AID list. 

[0310] A user who presented the holder AID and the 
Enabler corresponding to this holder AID to the PAT 
processing device can edit the list of link informations of 
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AIDS contained in the PAT In this case, the following 
processing rule^ are used. . - ^ : ' 

(1) Generating a hew PAf (Make'PAT) (siee Fig. 10): 

The link specifying AID. list (LAL- s 
IST<(link)hoicier' ^ AID ; ;| (iinl^rfft)^ Aipi. 
(Iink)niehniber Alb2; :* • • { 
Albn">) where <link)AiD^ denpti^fe.fhe Ifnti 'i^pfbrn^ 
. tion of Alpx is' newly i^enerated;' 'a^ 
period value and ihe tiahsfer cfohfrbl 9iag vaFud'are io 
set with respect to the generated LALIST 



(lihk)AibA + (li?ik)Ai^ 
' '■' +^Erial>ler^ AIC^'^ ' ^ • ''^^ ^^^y^}^^^'' '] 
^ lJsiUST<(iiihl9 j (liril^AibE; ^ 



l-AUSTi{lihk)AlbA | (link)AlbB > 4 Enabler of 

+ validity period vialue „ .„ ' ' . 

+ transfer control flag value 



:\~ }^ PAT<(link)AIDA I (link) AIDb > ' 



15 



20 



25 



(2) Merging PATs (MergePAT) (see Ftg. 1 1): ^ 

A plurality of LALISTs of the sajTie holder AID 
are merged and the- validity peribd "^viaiue and the 30 
transfer control flag value are set with respect to the 
merged'LALfST. ~ • — - 



LALIST<{link)AIDA | (lint^AIDei? (link)AIDB2, 



LAUST<(linJ^AIDA | (link)AIDcir(lihk)AIDc2. 
> 



+ Enatrfer of AID^ 

LALIST<(link)AIDA | (i'ink)AlbBi,"(lin»^AIDB2. 

• • • . (link)AIDoi . (link)A!Dc2. 

••••••••> 



LALIST<(link)AIDA |_ (linJ^AIDB^. (Iink)AIDB2. 

(link)AIDci. . (link)AIDc2. 

Enabler of AIDa + validity period value 
+ transfer control flag value 
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The JAlUST is split into a plurality, of. LALISTs 
of the same holder AID. and the respective validity 
period value and transfer control flag value are set 
with respect to each one of the^^lh LALISTs. 

LALIST<(link)AIDA | ilink)AIDBi, (link)AIDB2, 
. , --r-r . -H'nHOAipci.. , (iink)AIDc2. 

1 \ ,;.fjilinabrer: c^Aip^ -c. ? i- ^. / ■ . 

LALIST<iink)AIDA | (link)Al6B^*(irnk)ArDB2. 

+ LALIST<(Iink)AipA I (link)AIDGi...(link)Alpc2. 
> 

LAUST<(link)AIDA j (link)Aibci. {lini^AIDc2. 

. " + gnabler of AIDa + yalid^-jf>eribd: value . . 

^+ transfer, control fla^^ . - / . 

' PAt<(ljnky^ (link)AIDcT, (linl^AIDc2. 



(4) Changing a holder of aPAT fTransPAT) (see Rg. 

^13):'^ • ' ■ - ^ ' \ ... ^ : 

. ...,The holder.AID of the LALIST is changed, and 
ttie valiciity period value and the transfer control flag 
value 'are set with resjaect to ttfe "changed LALIST. 

. ; LAL|ST5(link)A|DA |,(link)AIDB > • 

+. L^U^ST<(ljnk)AID^|(lfnk)AIDci. (IinkjAIDc2. 



+'Ehabler qfAiPA + Enabler of AIDb /. . ^ 

LALIST<(link)AIDB | (link)AIDci. 
(link)AIDQ2. ••••••:,•> . - 

LALIST<(link)AIDB | (link)AiDci. (fink)AIDc2. 
• V- •:•••,> . . .. • , 

+ Enabler of AIDb + validity period value - 

+ transfer control flag value 

^ PAT<(link)AIDB I (link)AIDci. (linJ^AIDc2. 
....... 



PAT<(link)AIDA I (link)AIDBi, (linl^AIDB2 
(link)AIDci. 



(3) Splitting a PAT (SplitPAT) (see Fig. 12): 



[0311] In the operation for setting the validity period 
(link)AIDc2. ss value, in order to permit the setting of the validity period 
value only to a user who holds both the holder AID and 
the corresponding Enabler. the following operation is 
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PAT<(link||AIDA | (linkyAlpB > V'Enable>^^^^^^ 

+ validrty period. value \. _^ ' . . . ; . '[i^,^ 

-» PAT<(link)A!DA I (link)AIDB > ......... 

[031 2] 1n the operation tor setting the transfer control 
flag value, in order to permit the setting of the transfer 
control flag value only to a user v^o holds both the 
holder AID and the corresporxJing Enable^' tFietblTowing 
operation is defined,. 

PAT<(link)AIDA | (link)AIDB > + Enabler-of AIDa 
+ transfer cdhtnitVlS^^'^^^ - f'^ O-- ,l 

PAT<(link)AiPA | (link)AIDB :> - . . ; 



and this rhedium is given to tti^ user-A. .Etee, it - 
is waited until the user-A acquire them by read- 
ing this medijim (Figs.,47, 48), 



[0313] Next, with references to Fig. 42 to Fig. 48. the 
overall system configuration of this se/enth embodi- 
ment will be' described. In Ffg. '42 to Fig. 48,lhe liser-A 
who has AIDa allocated from the CA stores AIDa and 
Enabler of AIDa '"^ ^ computer of thfe iisfer-A; knd the 
input/output devices such as floppy disk driye,^CD-ROM 
drive/communication bMnd, microphone, speaker, etc., 
are connected. Else, AIDa and Enabler of AIDa are 
stored in a communication terminal (teiephone. cellujar 
phone, fetb.) which Has a stWage cl'evicd' 
input/output function. . . , - 

[0314] -Similarly, the user-B who has AIDBV^Iiocated 
fronri-the CA stor^ AID^ and Enabler of AlDg 1h a "com- 
puter of the Liser-B, and the inpWoutpul cl§vfces'such 
as floppy disk drive, CD-ROM drive, cornmunication 
board, microphone, speaker, etc., are corlheCtfed. Else, 
AIDb arid Enabler of AIDp are gtpr^ in 9, communica- 
tion termirta! (telephdnercellular pTioher etc.y which has 
a storage device and a data input/output function.' 
[031 5] In the following, a procedure by which the user- 
A generates PAT<(link)AIDA ' ] (link) AIDb will be 
described. 

(1) The user-A acquires AIDb and Enabler of AIDb 
using any of the following means. 

AIDb Enabler of AIDb S''® registered at the 
ADS 7, and it is waited until the user-A apquires 
them as a search result (Fig: 42). 
AIDb Enabler of AIDb are directly transmit- 
ted to the user-A by the email, signaling, etc. 
(Figs. 43, 44). 

*' AIDb and Enabler of AIDb are stored in a mag- 
netic, optic, or electronic medium such as 
floppy disk. CD-ROM. MO, 10 card, etc., and 
this medium is given to the user-A. Else, it is 
^ waited until the user acquires them by reading 
this medium (Rgs. 45, 46). 

* AIDb and Enabler of AIDb are printed on a 
paper medium such as booK name card, etc.. 
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(2) The uStiai:TAl>^pihas a'^c^ AIDb and -Enabier 
_5Sj^ipB'|y^ny of the means described p the aboy^ 
/IV) Jsi^ues^th^ J^al^ePAT corTVT;and:,to the /PA^ 
.^pr^c^'sing d^evica.jjijs.p^^ oimmon to 

'F^g\">iS>blF:ig.;>^^^^^ . : ! 

r?'i..A.„ ry-. ' '^.v --v^^,^; i^c 

(a) The user A requests the issuance of the 

fyipkePAT, cornrn^nd by^setting^ AIDa Enabler 
<^ "AIDa, AIDb. "Enabler of AIDb . validity 
period value, and the transfer control tlagyatue 
into the communication terminal of the user-A. 

(b) The. qomrnur;iication terrninal qf ttie user-A 
generateVthe MakePAT comrnandl 

(c) .The communication terrninal of the. user-A 

' transmits the generated MakePAT comrnand to 
the PAT processing device by means such as 
the email, signaling, etc. (th^ issuance, of the 
MakePAT command). 

(d) The PAT proc^f^sing device generates 
PAT<(link) AIDa r(link)AIDB > by processing the 
received MakePAT comrnand according to Fig. 
21 and Fig'. 49. More specif ically; this is done 
as.follows.. . .. . . . ^ .r, .-^ 

r i^^ ' 

^ " ' ' + Enabler of AIDb + Enablerjoif AIDa ^^^^^ 

. LALIST<(linK)AIDA | (link)A!DB,>^ 

LALIST<(link)AIDA I (linVAIDB > + Enabler 
,pf AIDa • . , r \ \. 
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+ validity period value + transfer control 
flag value ^ - 

\^ -^,PAT<(link)AIDA I (Iink)AIDB> 

(e) The PAT processing devipe transpiits the 
generated PAT<(link)AIDA | (link)AIDB > to the 

, communication terminal qf the user-A, or to the 
communication terminal of the user-B. accord- 
ing to the need, by means such as the email, 
signaling, etc. 

(f) The communication terminal of the user-A 
(or the user-B) stores the received 
PAT<(link)AIDA | (link)AIDB > in the storage 
device of the communication terminal of the 
user-A. 

[0316] The merging of PATs (MergeF=»AT. Fig. 21. Rg. 
49), the splitting of a PAT (SplitPAT, Fig. 22, Fig. 49), and 
the changing of a holder of a PAT (TransPAT. Fig. 21, 
Fig. 49) are also carried out by the similar procedure. 
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[0317] The procedure of MakePAT. MergePAT and 
TrahsPAt is simiter to' that .described ^a^^ refer- 
ence to Fig. 21; Sxciept that tiie AID should be'rep.laced 
by the link information'of the AID and the AID list should 
be replaced by the link specifying AID list. Also, the pro- 5 
cedure of Splitl^AT.is sinnllar to that descriS^^iabove 
with refenence to Fig. 22; except-that the 'AID should be 
replaced by the link information of the' Aid kndiife AID 
list should be replaced by the link specifying AID list 
[0318] Here; in ^6 procedjir^iS bf F^?^'f ^ 
the link speclf^ng Alb l^rjQeneratjbn \s carried^ ot^^^ 
according to Pig' 49 a©;f8lf<w 
is determined first (sieii SsoS'l) 'ihd'a buSer'j^.g^^ 
ated (step S901 2). Then, the link iriforf^^tibrj^^^ 
holder AID \s copied to a vacant regjfen otMe gen^raJje^pJ is 
buffer'-(st'i^ S9>C^i /^i the^^^^^ " ' 

mernber AID IS coiiifetfto a ^cahtY^iqn of t^^^ r;^ujtihg 
buffer (step ^9018). ah'd if the h©Kl nier&lsr A^^ 
(step S9015 YES), the stepi SStp'lS is Vep^tedr ; ' 
[0319]; -Ne>rt; tine deterniinatiO^ the iihk inforrriatjori 20 
of the holdfer^ AI'd Will be described: Each c^f the Make- 
PAT. the MerlePAT the'^SpIitPAT. ^d'the fransPAT coni- 
mands is defined to have two or niofe arguments /wher^^^ 
AID, PATf or* Eriabler cd'n be specified as' an argurrient. 
In this case, the PAT processing device s]3eclf ies,the lirik 25 
inforrhatibn of the holder AID. of ttie PAf to be putputted 
after executTiig each command according to. the foilow- 
ing riiles. • ' . . / . , 

* Case of the'MakePAT: * ' '■ " ' ' ' ' 30 
1: V Ppir trie MafePAT cdmnknd, H is defined' that 
AlDs are to be specified for the first arguhneht to the 

N-th argument(N = 2, 3, • • • ) and Eria- 

bl ers are to be specif ied for the N-i-1 -tti and subse: 
qijerrt -4rgLjments. For example. they ' can be ' 35 
spedfied'as follows. . . ' ! 

MakePAT AID^,, AID2, AID^,, ' 

Enabler of AID^, Enabler . of AID2/ 
• • • • • • • Enabler of AIDn" . ^ 40 

The PAT processing devic^ interprets the link 
information of AID of the first argument of the Make- 
PAT command as the link information the holder 
AID. .45 

Only when one of the Enablers of the N-i-1 -th 
and subsequent arguments corresponds to the AID 
of the first argument, the PAT processing device 
specifies the link information of this AID (that is the 
link information of the AID of the first argument). as so 
the link information of the holder AID of the PAT to 
be outputted after executing the MakePAT com- 
mand. 

Case of the MergePAT: 

For the MergePAT command, it is defined that ss 
PATs are to be specified for the first argument to the 
N-th argument (N = 2, 3. ) and Ena- 
bler is to be specified for the N+l-th argument. 



Nanriely.th^Y.can. be. specif ied as follows. . 

. l^'ergePATi^^^ PATg ^ • v;;; • • • PAT^, Ena- 

s^..";;b!er of AK^ . . — . .- -l,, . - - 

The PAT processing- device Jnterprets the link 
.irfornjaQoix of^thf.hpldej^AID;pf .the. PAT of the first 
argunjeDt pf^ the link 

jXtfornn^rtio^^ pt1he,ho)deT >^ID,pt.theJ^^T^^ be.out- 
^Lfjl^ai^afterre^^^ . 

^OTrie>E>C(g3|.'^^ |t\e holder AIC3 of ttje^^ of the^ first 
ijfgu^m^pi! fi^ fi^J^pro^^^^ 

JlnK infer^atipn.^^ |f^[s Aip^'(that, is frie link informa- 
tion of ithe' holder AlD of 'the 'PAT of 'the first argu- 
meril), as .the^ |ink Jnforrpatiori^of. the hdlder AID of 
^e f^k^^ io t^e^pi^^utt after execujingithe Merge- 
PAT comrn^d!.,r^''', > . „ . I . . . 
C^e pf the SpirtP/CT;, . . . . . . * . T : 

> , . fQr,the SpIitPAt^P it;is . defined that 

PAT is^t9 be^i^pecifjed for the first, argurner;rt. a set of 
one or m'ore.AIDs.grQu^^ sorne pre- 

&;rilDed syrnbbis (assumed to ^e par^entheses Q in 
this exanple) are to be speofjed -for the. second 
argumerrt. to the N-th argument (N = 3. 4, 
•p* • • • • • )... and Enabler is to be specified for 

the N-f-l-th argumerrt. Namely.!^ they can b^. sp^ed- 
f ied as follows. , . . . , . . ^ 

, ~SpliSw;,;R^ " (Aipit) JAIDai^; 'AID22) 
\ ; . . • •*•.••,. (AIDjyin. AIDn2 
1 "AIPnm) Enabler of ,AID . , . 

\ The. PAT processing device interprets the link 
. information of the holder AID of the PAT of the first 
argument of the .SplitPAXOTmm^ as.the link infor- 
mation.of the holder AID of thie PAT to be outputted 
after executing the SpiitPAT corpmand. . , 
Only when the Enatjier of the N+l,-th argument 
corresponds to the holder AID of the PAT of.the.first 
argumerrt. the PAT processing device specifies the 
link information of this AID (that is the link informa- 
tion of the holder AID of the PAT of the first argu- 
ment) as the link information of the holder AID of 
the PAT to be outputted after executing the SpiitPAT 
command. 

Case of the TransPAT: . 

. For the TransPAT command, it is defined that 
PATs are to be specified for the first argument and 
the second argument, an AID is to be specified for 
the third argument, and Enablers are to be speci- 
fied for the fourth argument and the fifth argument. 
Namely, they can be specified as follows. 

TransPAT PAT, PATg AID Enabler of AID^ Ena- 
bler of AID2 

The PAT processing device interprets the link 
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informatio?! of AID of the thiixl 'argumeilt ksi the link 
information of the holder AID of the^PAT to be out- 
putted after exe'cuting the TransPAT corhfnand pro- 
vided that the link information of M& of tfie third 
argument of the TransPAT command is contained in 5 
the PAT of the isecbhd argunrfe^ '^•'^^ ^'"^^ 
Only wheri; fte?; En^blerof '.the fpurt'^pf |fgU^ 
con-esponds toTjottr the F^AT of the ,fjrsrt -arlfu 
and the PAT of the^sfeborx^^^ 

bier of fife ftfth ar^m 10 
the third ^fgiume^^ ^jroceSsm^^^^ 
specifies the^lmk infbrmatlqh 
argument as^'e"" liirik rrtfbr m^ition'^^^^^ the HbWer Aib 
of the' PAT to^e olrtpGtted afte^reW^cuting the'Trans- 
■PATcbmmaild. ' ' ^ ■ ' '^-''-'--'^ '--'I ,5 

• Next/thedetermihatioriof thetinkiri^ 
of the mernber AIDS wiirbe^'described. The defini- 
tions of the MakePAT the MerqePAt.'tHe^^lrtP^^^ 
and the TransPAT commands ^. ai^^ /a^ descnbed 
' above. The' PAT probes^ng ddy^ 20 
informations of thef' rhehrter AtDs of 4ie^^ 
outpiified after executing eachrdmniand according 
to the following rulfes.' ' - ^ " - ^' ■-- 
Casfe bf%e MakeF^ • . .f ^ ^ 
^ ' Only when the 'link information of the holder 25 
AID 'of the PAP to be outpbtted after executing the 
MakePAT cornmand is formally determined, the PAT 
processing device interprets all the fink Ihfdrma- 
tions of the AIDs of the second .and.,subsequent 
arguments of the MjakePAT command as the link 30 
infdrmatibns of the nnentoer AIDs of the PAJ to be t 
outputted after executing tH'e MakePAt conimand. 

The PAT processing device specrfies only the 
link infbrnratiqns of those AIDs among all the AIDs 
of the^ second and scijseiiiudht argunrients which 35 
con-espond to the Enablere specif ied by the N+1-th 
and subsequent arguments as the linkinformatioris 
of the member AIDs of the PAT to be outputted after 
executing tfie MakePAT command. 
Ca'sebf theMergePAT:- - " " y ' 4Q 

Only when the link information of thte holder 
AID of the PAT to be outputted after executing the 
MergePAT command is formally deterrhined, the 
PAT processing device specifies the link infonna- 
tions of the member AIDs of all the PATs specified 45 
by the first to N-tfi arguments of the MergePAT as 
the link informations of the member AIDs of the PAT 
to be outputted after executing the MergePAT com- 
mand. ' • 

Case of the SplitPAT: so 

Only when the link information of the holder 
AID of the PAT to be outputted after executing the 
SplitPAT command is formally determined, the PAT 
processing device specifies the link information of 
the member AID of the PAT specified by the first ss 
argument of the SplitPAT command as the link infor- 
mation of the member AID of the PAT to be output- 
ted after executing the SplitPAT command. At this 



point, the link iriforpi^tions pf the.rnernber AIDs are 
distributed into different P^^ in. units, of parenthe- 
ses Q. For example," in the case.of : - . - j 

^'^.-gPlit^^^ r.(AiPiiV HAibgr ■ AID22) 

x: oiL'c'-H t3f>^* M :d^\Pm t - AIDn2, • - * 

Q\A c^'PNWfel !?* AiP.- r . r: ..v. , ? r 

.the lipk J^nforjTiatipns-^^^^ AIP22) and 

(MZi^x A'P^h4o' W vVs •3DNM)>iirbe th&lj^ infbr- 
matipn^ of !th^^^^ differient PATs haying a 

oommpn'link'in|pfm^ . 

Aipf.^pf 'the_P^^ B^ecutini^, the, 

TnansF^^^^ ppirnmprnd^^ 6^X<&rr^p^^^ PAT 

proposing '^^^ all .fee iin|k irtforn^ 

of' the me|g^>^r i^lDs rernai excjudlngfthe 
link jnfo/matipn jpf^"^ meniber Alp thft Js sched- 
ujecT'to^b^ a riew iioWer AJp from link infor- 

rnati6n|pf tHe-rperr^ AIDs of the PATspeciiied by . 
the first argument ^Qf the Trai;»^PAt comrnand and. 
the. link infornTalipns "of the merbber AIDs of the PAT 
specifiied bylhe^ s^pnd argunrient as thejnk irrfor-. 
iTiatidris' bf^the^^member ,Aips of the PATJo be putr, 
putted after exi^cytirig the JrarisPAT command. . 

" The verificatioh of the properness'df the Erj'^- 
bler in this seventh embodiment is the same as 
described above with reference to .Fig. 24. Aiso^ thiq 
yerif icatipo pf the prpperness of the Enabler fs iom- 
n^oA)p thjB MakePAt^^^ MecgePAt, the SplitPAT 
4hcl,]the trafePAT^^ ^ , ^ V . > ' 

[0320] * ^hSext^^the 'eisirtii.^^.^ ernail 
access cbrtti-ol &herne according to. ttie present invenr 
tion will be described in detail. 

[0321] In this eighth embodiment, the OID is given by 
a real erriail address, . . ^ 

[0322] " The PAT is an information comprising, two or 
more real email addresses, the holder index, the validity 
period, the transfer control flag and the. PAT processing 
device idehtrfler {6r the identifier of the* PAT processing 
object oh the network), which is signed using a secret 
key of the PAT processing device (or the PAT processing 
object on the networl^. 

[0323] Here, one of the real email addresses is a 
holder email address of this PAT, where the change of 
the infbrmatipn contained in the PAT such as an addition 
of email address to the PAT. a deletion of email address 
from the PAT. a change of the validity period in the PAT. 
a change of the transfer conti-ol flag value in the PAT, 
etc., can be made by presenting tine holder email 
address and an Enabler containing the holder email 
address to the PAT processing device (or the PAT 
processing object on the network). 
[0324] On the other hand, tiie email addresses other 
than the holder email address tinat are contained, in the 
PAT are all member email addresses, where a change 
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of the information contained in the PAT cannot .be nriade seaxdh resul Then. Jhe directory appends, the holder 

even when the rnetnber ernail address and an 'Ehabler index v^ueV the validity period value, the trans^r control 

containing the member email address are presented to , flag value,, and the distinguished name of the directory 

the PAT processing device (or ttie PAT processing object;; to th^ rea! ema^^ list. Fihaiiy, the directory sigre 

onthe netwprt^. ;; ; ^ ^ ' ; ^^^^ ^ ! . - s the rWtft"n^ a secret key of the directory, 

[0325] the holder' ihd&< js,a'niu^ jbr;Jclenti-., and fra^p^rtsi'jr l^^^ iser who presented 

tying the hdder'emaif &cb^^ the searclfcjcy^^ f^! . ' ;"/ 

a value 1 when the/hojder enia^ jsTo; tofi e [0^] fiW^the'era^^ in ttijs eighth 

address'in the email add/es^ emtjodim^n^^^ / . . 

emair address and the mender . emaijf;;a;cldref s^^^ J[03?|5I llllWse^er s^ re^l email addreskof 

value; 2 when the hoider!4rpaH addr^s, ij5-.a ^epond • . , ^. ' the "sender in^'PromMrne;* arid iiMij^t^^^ 

email address from the tbp gf t^e^eneil acJ^^^^ ; senderr iji Jq: Jjne pf .a mail. , , J.,!; 'I ' . 

a value n' when 'the hc^det^^^^ pi^ilr^ h ^3361 Vj^^ $!Ci$ la^utres ac^' efnjaii received by. an 

address tfbm the top b^f the eniairaddre^ Jisj:, '""^l MTA'tl^e&age TransifW*'^^^^ suc^^ras^SMTP^ (Sl^^^ 

[0326] The transfer control jfj^g yalue is def]^^ fo t^kV, ' V . Mail Tran§f^^ P/crtOfol)., ancj.carries out fee airthentica 

either 0 or 1. * - ■* - ' ' ; " - ' ' ' ^ ' ; """J^ tioaby;^e.fdlowi"ng.p^^^ ; ; ' ].[ ;. 

[0327] TTie holder email aSdrfes^^ '[^ y ^^/^i^^.^ ..'*. ' 

email address which* i^s wri^^^^ krU positiq^^^^ (i) Irjie sigoaiurer^^ is'^veriified.. using ttie 

the holder ihdex' iri the enntail address^^^^^^ me'hier ;^ /; public key "of ibeP^^^ 1 \ J^. v . 

email address^ are. d^ine^ to be^aH 'th'|;":eTOir^^^^^ ' Whence PAf is ;fbund*t 

addresses bther tfian the holder email addPes^!^^^^ ;; ;* ' th|[,emai| is .^Jiscard the processing is termi- 

[0328] ' The validity period is defined By any ^ rjated/ ' ^-J , S. 

combiriation of tfie number oHmes for wh^ ^ 7 ^A(hen tfie PAT , is found . to have/been ,not 

available; the ateolute time (UfC) by Which ' the P^t ' altered, the feliowing processing (2) is executed j - . 

becomes unavailable, the absolute time (UTC) W 25 . (^) TTie search is canied put by presenting the 

the PAT becomes available, and^the relative time (ijfe- J ' ^sender's real emaij address to the PAT^ 

time) since the PAT becomes available until if bf corpes ^'^ When a real ' erriail: address that', compi etely 

unavailable. ' ' " , ; ^ * ; . ; .7.^ 1 matches with' the sender*s real ernail acfclress. is not 

[0329] The identifier of the PAT prb6essihg dfvib^ (or^ " „ cpntaicied in the PAT, theemailis discarded-.and the. 

the PAT processing object on tfie neftwbfk) is'deff iried sfs. . 30 procei^ing is'' terminated. ' . ' . J . 

asenarnUmberofthiBF^^^ Jwh6n a . re^ email address tfiat completely, 

tingwshaj^namejof the PAT processing bbjedt on tbe. . matches with. the sender's real email, address 

netwbrk);' We secret fey of tfie PAT processing ctevibe ;,._^ contained in the PAT, the following processing (3) 

(or the PAt processing object on the'ne^^ Executed. . \ \, " ^ • / 

to be uniquely con;esponding io the identrfier. ' ' ^ ^ 35 (3) the yalidity period value of the PAT is evaluated.^ 

[0330] Also, in this eighth embbdimeFit. ^n Ehabler Is ^ When the I?At is outside the validly, period. the - 

defined as an identifier corresponding to the/eal email emaif is discarded, and the proqessjng is termi- 

address.' The Enabler'is an information comprising a hated! " , / ; / ; 

character string iiniqueiy indicating thafit is an Enabler . _ When the PAT is within the validity-period, the 

and a real email address itself , which is signed using the .40 foiiowing prbcessing,(4) is executed. - — - 

secret k^y of the PAT processing d^ice or the RAT (4) Whether 6r not to authenticate the sender is 

processing object on the network. _ determined by refemng to the transfer control flag 

[0331 ] The generation of the PAT in this eighth embod- value of the PAT. 

iment is carried out as follows. ~ . . When .the value is 1 . the challenge/response 

[0332] Here, a directory will be described as ah exam- 45 authentication between the SCS and the sender is 

pie of the PAT processing object on the network. The carried out, and the signature of the sender is veri-, 

directory manages the real email address and the dis- fied. When the signature is valid, the recipient 

closed information of the user in correspondence, and specified and the PAT is attached. When the signa- 

outputs the PAT upon receiving the search conditions ture is invalid, the email is discarded and the 

presented from an arbitrary user. so processing is terminated. , 

[0333] The user transmits the real email address and When the value is 0. the recipient is specified 

the search conditions to the directory Then, the direc- and the PAT is attached without executing the chal- 

tory acquires all the real email addresses which lenge/response authentication, 
uniquely correspond to the disclosed information that 

satisfies these search conditions. Then, the directory 55 [0337] An exemplary challenge/response authentica- 

generates a real email address list from the real email tion between the SCS and the sender in this eight 

address of the user who presented the search condi- embodiment can be carried out as follows, 

tions and alt the real email addresses acquired as a [0338] First, the SCS generates an arbitrary informa- 
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tion such as ^ timestarhp, for example, and^ tf ahsirHts 
the generaifi^nhformation to the sender. ; ' ' 
[0339] Then, the sender generates thji sepr^t fey f nd. . 
the public key.'-sigiis trte received infofrhitipn^y^ing^t^^ 
secret key. and transits rt^aipng wnth Jh,^, pu^f^^ s 
[0340] The SCS tfieh verifies the sjgiiatuferofjjhe., 1 
received information using the public" ke/ pres'eirfaj . . , 
from the sender. Wh'eVVthe sjijinattjre rsi 
ent is specified and the PAT ib'attached.'^heil tB^ si 
nature is ih'vaiiU',^ tfiej jiira^^ '~^a[rld ^^^e""^ io 

processing's tertniifisS^;'- .^^^'2 '\ 

[0341 ] The specifying of l^e .recpjeh\ |f^^ ft^ei^atta^Sh)^'!^^ 
ing of the PAT ^t flie SSs ihMs' eighth ^rri6odihrient cafi^., 
be carried oiitislbifbii^^^ ^^"'^^^'^ ^sss^^'V^Asvi 

[0342] - Firsf. thte S'eS'fckrt'ief but ti^^^^ 
senting the sender's real emairaddress t6'th&f=A'^ 'st>&' ' **' 
to acquire all the real .enia.il addresses which dp not 
completely'' match the* sender's jreaf^'^ail address. 
Then, all these acquired real ernail;iddrb&sWare;sp^ 
if ied as recipient's real emdl addrfessei. " - ^ ^ 
[03431 ■ Ne)rt. the BCSt attaches the PAt to'an Arbitrary 
position in the email in order to transmit the ifo ill 
the recipient's email addresses so as to be able to real- 
ize the bldir^dtional commtmications.' 
gives the enfi^il to the MTA. ' ^pa- ; 

[0344] The receiving ref usalTyith rebjDect to t»?e PAT^t 
the SCS in this eighth- ehTbodiment can be canried out 
as follows: ^ • - " ' ' ^ 

[0345] 'Receiving ' r'efusaPsettirigrThe bidired^^^^^ 
authentication is carried out ; by ah arbitrary means so 
between the liser and the SCS S. Th^ri; the user trans- 
mits'^a registration command, tiia?ier';oWri'* rdal eirail 
address, and arbitrary PATs tb the SCS 5.' theri, th^ 
SCS 5 next verifies the signature of each received PAT 
using- a public key of the ADS. Tliose PATs with the 35 
invalid signatui-e are discarded by the SCS 5.^ Whfen the 
signature is valid, the SCS 5 carries out thV search by 
presenting the received real email address to each PAT. 
For ieach of^tfiose PATs which contain the Veal email 
address that completely matches with the received real 4o 
email address, the SCS 5 pr-esents the registration com- 
mand and the PAT to the storage device such that the 
PAT is registered into the storage device. Those PATs 
which do not contain the real email address that com- 
pletely matches with the received real emal address 45 
are discarded by the SCS 5 without storing them into 
the storage device. 

[0346] Receiving refusal execution: The SCS 5 carries 
out the search by presenting the PAT to the storage 
device. When a PAT that completely matches the pre- so 
sented PAT is registered in the storage device, the mail 
is discarded. When a PAT that completely matches the 
present PAT is not registered in the storage device, the 
mail is not discarded. 

[0347] • Receiving refusal cancellation: The bidirec- S5 
tional authentication is earned out by an arbitrary 
means between the user and the SCS 5. Then, the user 
presents his/her own real email address to the SCS 5. 



Then, the-SCS 5 riext presents the presented r;eal .email 
address a search condition to the storage device and - 
acqyir^ a!!..'tbe .P^s -t^ pressented real ] 

email address, and then presenfts all the acquired PATs 
to the user. Then, the user selects ail the PATs for which 
the receivirYg ref u,sai is to be cancelled by rejf^rring to ^11 
thejiPATs 

the'sBiebt^ ; 
SCST'Slr^'Cjpon rieceiying the^jdelb^^^ all. 
the^P^sMdr whic^^ receiving re^usal^ is tp^be can- 
celfed; the SCS. 5 prgseht^'fi^^^ command, and ] 

all tfie^^ATs'' Vebeived 'frbm fiie 'user tq^ the ^^torage" 
devidfe/silich thatali't^^^ \ 
the storage d^vic|/J^^ ' . , " . - 

" '[034§f " The ^itihg^dif the'^'^AT in this eighth embcyJi.-r 
ment can be_carried,out,as,fc^^^ - ' '] 

[0349] 'The^^ and 
the jransF^At proq for the PAT, using. real email 

addre^es as itis elemente^'cah be^obta^^^ frpm.the the. 
'Mal^>>fr, theMl^*^^ 

processings ^for the J^AT using , Aips . as jts j^ements v-, 

described ab^ ttie Afp. by ^he real email 

address and the Ehabler of AID l?y the Enablerof real^.^ ~, 

emait address. \ ^ . - • . " ^ 

[0350] A Null operator is an. infor;rTiation conoprising a 

data Which is uniquely iridicatng tifat ii is Null arilwhich^ i j # 

has a format of the real email address! whicfi is signed , 'fc 

by the secret key of tfl^ PAT- processing device, or the -^.-"t > „ 

PAT prdcesairig pbjert "S'Cr - V't; V; 

[0351] Siniilarly^the God operator is,Bn infbrrriatipn!^ . 1 

comprising a data w^ich fs,. uniquely jndi^^^ \ 

God and which'^has a forrTia^bf the realernair'addressr " ' - 

which is:s1ghed by the>ecref key of the B'^T processing 

devicfe or the RAJ ^rpp^ssihg objection tfie-netwbrk. ' 

[0352] The Eriablei^ of TMuJl operator is an jpforrnatiorv . ' ^ 

comprising a data yfh'ich is uniguely indicatinglthat it \s*^ ^ 

Enabler and the Null operator it^elf^ which js signed by . > 

the Secret key of.^the PAT processing de^ce .or the PAT , 

processing object on the network. [ - , 

[0353] ' The processings involvlng the Null operator 

and the God operator can be obtained from the 

processings for ttie PAT using AIDs as its elements 

described above, by replacing the AID by.the real email 

address, the Enabler of AID by the Enabler of real email 

address, the Null-AID by the Null operator, the God- AID 

by the God operator, and the Enabler of Null-AID by the 

Enabler of Null operator. 

[0354] As described, according to the present inven- 
tion, a PAT is used for verifying the access right of a 
sender and the email access control among users is 
carried out when the verification result is valid, so that it 
becomes possible to disclose the information indicative 
of characteristics of a user while concealing the true 
identification of a user and carrying out communications 
appropriately according to this disclosed information 
while preventing conventionally possible attacks from a 
third person. In addition, even when a recipient receives 
an attack from a sender who maliciously utilizes the 
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anonymity, damages. of a recipient due to that. attack . 
caii be rtiinirhized. . .. -;v 

[0355] J Also, according to the present invaitibn, the 
generation and the content, change of' the personalized 
access ticket* can be rhabe t>y the initiative of a user by s 
using an AID assigned to each user^and^^^O^ ^ „ 

defined in corrd^6.hdenc4 /to the 'Ajy;.'^s^^ " 
becornes possibleib Appropriately manage idtP/^T^ty^ 
such as'that of a;pqini of cbritabt bf!edch'meq$).e^^ 
group bortimuhication^(nriailing list, etc.) whicf\ changes io 

dyn^^ic^n^r .A ; " '^l'..''' /'^C' ^\.-t.t^'^ 
[0356] j^scy; accordirtig toShe ^ri^ent inVentjoQ, a.hjuf!- 
AID' and'an Eriabler df lsiuii-A!D.(»n>,e^ 
order to carry out this generation of a new F^ai (i^ake- 
PAT) and the merging of PATs (MergePAT) wrthout^giu- • is 
ing the merfiber AlD Wnid the Eriabler of the men^ber^Alb 
to the holder of/jfie PX^^^ ^o thai ?t b^i;nes pp'ssifc^le to 
prevent the ^)r'6teh^^^ using the mernbeJ'Al^ [ \ , ' 
[0357] ^ Also, according ^ to present' invjaTtioh, the 
Null-XlD can be usekJ only as the hoIderTflD pf /the. PAT so 
(the NuII-AID cannot be used as the member AID), that 

PAT<AIDmuII J AiPj^emberL AIDn,entber2» ' ^.^J. V • . ^ 
AlDrn^rnberN > iS allowefel. but/FW<:A ID holder. I AIDtJuii. 
AID;pember1. AIDpf^niberg. • f.. AlDn^emhwN. ? 

is not allowed, so that the holder of PAT<AiDhoider I AID; 2S 
member >^ cann6i' prbduce. PAT<AIPnui, | Aip^^^t^; > 
from this PAT<AIDhider 1 AID^ember > as "long as the 
holder does not know Enal?ler of AiPmember . : ^ 
[0358]'^ Also, according to the present invention, a 
God-AID can be introduced in order to set up a read so 
only attribute to the PAT, so that it becomes possible to 
fix thife participants in frie; group communication., . 
[0359] ' Also, according to the. present Invention, the 
link information for uniquely spedfyihg the AID can be 
introduced dnd the PAT can be given in terms cif.the link as 
information such that the PAT does Wot contain the AID 
itself, so that it becomes possible to realize the receiving 
refusal function without using the AID itself. . , 
[0360] tt is to be noted, that, besides those already 
mentioned above, nnany mbdrficatioris and variations of 4o 
the above embodiments may be made without depart- 
ing from the novel arid advantageous features of the 
present invention. Accordingly, all such modifications 
and variations are intended to be included within the 
scope of the appended claims. 4S 



Claims ' \ ^ ' 

1 . A method of email access control, comprising the 
steps of: so 

receiving a personalized access ticket contain- 
ing a sender^s identification and a recipient's 
identification in correspondence, which is pre- 
sented by a sender who wishes to send an ss 
email to a recipierrt so as to specify the recipi- 
ent as an intended destination of the email, at a 
secure communication service \oc connecting 



, communications between the sender and tiie 
:lreceiyer;and : ^- . 
;; controlling- accejsses between the sender and 
-:.v-£th,? recipient by vierifying an access right of ttie 
. .7,10 i$,eri^encwithrirespecl :to the recipient according 
- to^the^personaiized, access ticket at the secure 
,:: commiAnipation service. .- . • . . - 

2. -The, :rnj5thpdipfv€{aim;t^ wherein . atr^^ controlling 
yst^p ^he ;^^re-;COffnmuntcattoPi service authenti- 
cates the personalized access^ticketpresented by 
the sender, and refuses a delivery of the email 
,^^%^^^rf^:^9^?^}^^: access 4<i*<e^ presented by 
the serider has been altered. 

3. TJie -methc)d jOf .<:iairn 2.^ wfherein the personalized 
access ti<i?et is signed t?y a secret-key of . a secure 
processing: device which issued- the personalized 
access ticket and at .tiie^contrplling step the secure 
ppmmunicatipn seryice.a personal- 
c^ed access, ^dket, by ver a signature of the 
secure prpcessing ; device in^ the .personalized 
access ticket- usirig a -public key of tiie secure 
processingdeyice. r- • / ^ . 

4. The method of cl§im 1 wherein at the. receiving 
step the^, secure communication * service- also 
receives the sender's Identification presented by 
the sender along >with the personalized: access 
ticket, and at the controlling step the secure com- 
munication service checks whether the sender's 
identrfication presented by the sender is contained 
in the , personalized access ticket presented by the 
serider. and refuses a delivery of tiie email when 
the sender's identification presented by the sender 
^ not contained in the personalized access ticket 
presented by the sender. 

5. the method of claim 1. wherein the personalized 
access ticket also contains a validity period indicat- 
ing a period for which the personalized access 
ticket is valid, and at the controlling step the secure 
communication service checks the validity period 
contained in the personalized access ticket pre- 
sented by the sender and refuses a delivery of the 
email when the personalized access ticket pre- 
sented by the sender contains the validity period 
tiiat has already been expired. 

6. The method of claim 5, wherein the validity period 
of the personalized access ticket is set by a trusted 
third party. 

7. The method of claim 1 , further comprising the step 
of: 

issuing tiie personalized access ticket to tiie* 
sender at a directory service for managing an 
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• identification of each regrs^nt drd'a'd^^^ 13. 
information of each registrant which -Has a 
. lower secrecy than a personal iriformaften. in a 
state which is accessible for s^r^H by i^spec- 
ified many, in respon&e ;tO'"s^r^§6IS^ions 5 
specifi xl by'thesenddr,^bj<^jart^h^arPld^^ 14. 
tion of a registrant whoseJdiscidfeedTnfbrmation 
matches the search conditions as the recipi- 
ent's identrfication" and theisender^icJ^fttifica- 
tion spocifi3dcby.nher:5endef? afor^ %vtof rtlTfe 
,^ search Gc:r!u:tions;v:.v vi^-v r eq sr.? c^'^:. 

8. .The method of 'Claim i/tiirtyferOT 

of. r:i5'-..:,:t pst^ n,^"' 

' 'regilsterinig in advance-^e peHsohalized^a^^ 
^- ticket containing ah ietemifTeation* df "a sp§^ 
'•■ from which a delivery of fertTalls'to a spe- 

' • cif ic V^istrarit ife^tb be^reftised^as* the sehde?s 
^- identificiation eind an idehtrffeafioh of'thii' 
tific' -registrant as the^ recipierrtfe' idefitiftcation', 
at'thesecure c'ohimuhication servideT - i ' 

> wherein th^ controlling stepf the sedjr^ TO 
munlcation service refuses^ delivery of" Itife 
email from the sender when the [Dersonalized 2S 
access ticfket presented by the sender is^ejgis- ' 

<" i tared therein in advarice^ttheTegistering step^ 

9. The method of claim 8r furfheKconprisihg the' step 

of:.:: . r .r -. x': ar: r-3 * : * 30 

>: <leleting the personalized access ticf^ regis- 
" X tered at the secure ' commuhicatitfri service' 
e ^upon request from the ^ecific registrant who 
V . registered the personafized accesss ticket at the 3s 

> ^ y regfisterih^step. - - " " ^-"^ v ^ 

10. The method of claim 1, wherein the personalized 
access'ticket also contains a transfer control flag 
indicating^ whether or not th'e sender should be 40 
authenticated by the secure communication serv- 
ice, and at tiie controlling step, when the transfer 
control flag contained in the personalized access 
ticket indicates that the sender should be authenti- 
cated, the secure communication service authenti- 45 
cates the sender's identification presented by the 
sender and refuses a delivery of the email when an 
authentication of the sender's identification fails. 

1 1 . The method of daim 1 0, wherein the authentication so 
of the sender's identification is realized by a chal- 
lenge/response procedure between the sender and 
the secure communication service. 

12. The method of claim 10. wherein the transfer con- 55 
trol flag of the personalized access ticket is set by a 
trusted third party. 



The niethod of claim 1, wherein the seer's . identi- 
fication and the recipient's identrf icatipn in the per- 
sonailized access ticket arer giyerl by real .email 
addressed of the' Wnde> and the recipiefnt ' * 




iliiSd^ l^^s^^ by^ anonymous 

^cferftif iMf^^^ ' pf fthe jSehd^ ^the ' r^cipJent, . 
Where 'an* anohym iaefitif icatioh 6t eacfi iiser., 



'Id^fjt|^i^fe b^;^a celi^icatibh'a^^^ 

lfi^*'iri<e^^^ qf_ plaim^ 1 4',. wljereiri the Sfnpnymbus 
IderitiftSaffon of each user js^anlnforjT^ 
ing bSe''afll.^ast jdentfti- 
c^tiqn or' eadfV user which . is^ signal -by the ' 
He'rtiiFid^^^ usihga'secr^ife^ per-. 

tifid^tiOn airthority. ' , ' ' '\\.'[ ; .-'T * 

The 'method of ^iamn. 1 4, jwrierein th^ pffibiar identi- 
ficdffbh of 'j^ach user is a character string uniquely - 
assigned foleach user by the certification aiitboVity,, 
arid a pijblit^ l^ey of each 4ser vyhjch are signed by a 
secret Key 6f^ the certification aiirthority.. - - 



17. The method of dam '14, furthWconriiDrising the'step. 

prctoabilisticai ly) jdentifylng an , 1(;l^h^r^ 'pt ,tlie\ ' 
send&r by reconstructing' the, oiff iciaUdentif ica- 
' tibri of .tfie sender by judg^ " 
ify bf anonymous identif icatioris of the. sender 
conlaiiidcJ^i^ a plurality of perspnalized access , , 
' tidiets^ils'ed, by the sender: 

18. The method, of cteim i; wherein an a 
identificatibh of each user tha^ contains;* at ieast one 
fragmertt of an' official identrf ication of each user by 
which each user is uniquely identifiable by a certifi- 
cation authority and a link information of each 
anonymous identification by which each anony- 
mous identification can be uniquely identified are 
defined, and the sender's identification and the 
redpient's identification in the personalized access . 
ticket are given by a link information of the anony- 
mous identification of tiie sender and a link informa- 
tion of the anonymiDus identification of the recipient. 

19. The method of claim 1 . wherein the link information 
of each anonymous identification is an identifier 
uniquely assigned to each anonymous identifica- 
tion by the certification authority. 

20. The method of claim 18, further comprising the step 
of: 
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p robabilistically identifying an identity of the 
sender by reconstructing the official iderrtifica- 

* tio'n bf the seinder by judging identity of a plural- 
ity of anonymblis identificatipn© of the sender 
con-esponding to the (ink irrforhi^^ 5 
in a plurality bf peVsonalfze^d acces4 iick^ 

' used by ihe sender ■ ^^^^-5"'*^" 



21 



The method 6f cliaim'IVySiereiri ttje^pe/son^lized 
access tickfet "contains a single , sehbf^^ 
tion and a single recipfient's idehtificati^on iri i-to-1 
con-espondence, , _ - 



10 



22. The method of claim 1. wherein the personaliz^ 
access ticket contains a single sender's identif tea- is 
tion and'a plurality of reciprent's ideritificaiipns in 1- 
to^N cofre^poridence, where N is an integer greater 

tharft: ^^'^z ^ '\ / 

23. The method of claim 22*. vi^erein o^^ 20 
amorig'lhe si rigle sender's identification and the 
plurality of recipient's identtfic^fions is a holder 

id entif icati on for identifying a. holder of the personal- ^ 
lied Access ticket while other identificatioris arnpng 
the single sender's identification arid the plurality of 25 
recipient's identifications are member ^identifica- 
tions for identifying me,rribers ofl a group .to which 
the hpldef belorigs. . 

24. The mithod of clairri 23, further comprising the step 30 



' ^ issuing an identificatibp of each user arid an 
enabler'of the identific^tipn pf^each user indi- 
cating a right tp. change the personalized 35 
' access ticket cphtaining ^the ' identification of 
each user as the"holder. identification, to each 
user at a certificatipn authority, such that pre- 
SCTibed processing on the personalized access 
ticket can be carried out at a secure processing 40 
device only by a user who presented both the 
holder identification contained In the personal- 
ized access ticket and the enabler correspond- 
ing to the holder identification to the secure 
processing device. 45 

25. The method of claim 24, wherein 'the certification 
authority issues the enabler of tiie identification of 
each user as an information indicating that it is the 
enabler and the identification of each user itself so 
which are signed by a secret key of the certification 
authority 



26. The method of claim 24, wherein tine prescribed 
processing includes a generation of a new person- 
alized access ticket, a merging of a plurality of per- 
sonalized access tickets, a splitting of one 
personalized access ticket into a plurality of person- 



55 



alizedLacce^ .tickets, a changing of the holder of 
tiie personalized access ticket, changing ola^vaiid* 
ity period of the personalized access ticket, and a 
dhanging of ^ transfer control fjag of the personal- 

' }?l^,a6cegs ./ \ . " ' . - , :^- ' 

27. lhe.,methpd of claim 26^^ wherein a special identifi- 
cation and a.special enabler oorresporxiing to'the 
special iderrtification which are known to all users 

. , ^af:e.d^in^ed,^such t^ new per- 

sbn^lized access ticket and the changirig of. the 
holder of tiie personalized access ticket can be car- 
. rjed^^iA by^tha|i£^ 

,,tij*et'By.i^^ and the 

sp^iaL^Mbler withput^using an enabler. of a mem- 
.^r.identifipatipij^ - , , . . . 

28. The, methpcj lof claim 27,, wherein the special identi - 
jjcation^ is dkinfd to be enable of being used only 

Jha.jhpjder^ identification of the personalized 
"access ,ticket3'",.j J. v^l^^ . 

29. The rnethoclpf claim 26, wherein a special identifi- 
itjatidn whidi is known to sdl .users, is .defined such 
that a jead-only atti"ibute can^e set to the personal- 
ized access ticket by using, the special identifica- 
tion. 

30. Tlie method of claim 1 . wherein at tiie controlling 
. step, when the access right of ttie sender witii 

respect to.the recipient Js verrfied according . to the 
personalized a^xess ticket, the secure cpmmunica- 
tion service takes out the recipient's identification 
from the personalized , access ticket by- using the 
sender's ideDtificatipn presented by, the jsender. 
cprverts the mail by usirig a taken out recipient's 
iderrtification into a format that can be . interpreted 
by a mail transfer function for actjally carrying out a 
mail delivery processing, and. gives tiie mail after 
conversion to the mail transfer function by attaching 
tiie personalized access ticket. - 

31. A method of email access conti-ol. comprising the 
steps of: . . , 

. defining an official identification of each user by 
which each user is uniquely identifiable by a 
certification authority, and an anonymous iden- 
tification of each user containing at least one 
fragment of the official identification; and 
identifying each user by the anonymois identi- 
fication of each user in communications for 
emails on a communication network. 

32. The method of claim 31, wherein the anonymous 
identification of each user is an information contain- 
ing the at least one fragment of the official identifi- 
cation of each user which is signed by the 
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certification authority using a secret key of the cer- 
trficafion Authority. • - • ■ " ^ ' ^ 

33. The niethod of Cfeim 31 . Wherein the Qffid4f:iqf|rrti- 
fication of each user is a character'stfTn^^uniq s 
assigned to each user by the certification authority 
and a public key of eadi us^r which arie* sighSd by a' ' 
secret key of the certificatibn authoFrty. ^' ' *' 

34. The me^od' of'-ofiirfi 31; fu^ 'cbmi5nsing^tfie io 
•-steps of: ^ -^"-'^ ^^'^'^^ 

- 'receiving'a^rsonaliz^ 

= ing a'%&ftfer'^%no>ryrtiyus and a 

reclpiShfs anbhyrtidus'identH 75 
spondence, which is presenleci 'b)^ a is6nd4r 
who wishes to send an email to a recipient so 
as^6%piBcrfy ihe redpient asr^ " 
nation of the eniaiK at a secure' <»rTimunfc^tibh 
service '"for ^ - conhecJting cbmi%nfeat^^ 20 
between the sender and the receifi/er; and' ' 
controlling accesses between the sender and 

' the recipient by verifying an Access' right of the 
sender with resperct to the recipient accbrdi rig 
• to the personalized acces^ tidket at the 'secure 2$ 
corhmunicatioh service. ' " ' ' - - ^^ ^ 

35- The method of claim 34. further comprising the step 

. * ' ; ' 50 

- * probabilislicallyMdentifying an'idenfty of the 
*' send er at the secure corrinTOhicatioh service by 
■ - * reconstructirig the official identification of the 
j' i sender 'while judging iddhtity of-a pifirality'of 
anonyfrious identifications of he sender tion- 35 
' tained in a plurality ol personalized access tick^ 
■ i' ets used by the sender. ' • ** 

36. Th6 method of claim 31, wherein the d^inihg step 
also defines S* link information of each anonymous 40 
identification by which each- anonymous identifica- 
tion can be uniquely identified, and each anony- 
mous identification also contains the link 
information of each anonymous identification. 

45 

37. The method of claim 36, wherein the link informa- 
tion of each anonymous identification is an klentifier 
uniquely assigned to each anonymous identifica- 
tion by the certification authority. 

so 

38. The method of claim 36, further comprising the 
steps of: 

receiving a personalized access ticket contain- 
ing a link information of a sender's anonymous ss 
identification and a link information of a recipi- 
ent's -anonymous identification in correspond- 
' ence. which is presented by a sender who 



wishes to send, an email' to a^ recipient so as to 

specify the recipient as an intended destination 
^6f the emaij. at a secure cqmn^unication serv- 

Jce^^fpr^'ppm^ between^ 
- / ■;fhe se and . 

" controlling accesses between, the serj^er and 

the recipient by verifying an access right of tiie 
^ ^ . sender, with resp.ect to. the recipient according 
"f ! flp^^thg p^^ access^'ticket at the secure 

*" ' bbmmuiiicatibn s 

39. The method of claim 38, further comprising the step 

.of: . : ^ 

r '^fpfciabi^^^^^ identity^ pf the 

sender by reconfifruc^^ 
■ "tion of the sender while judging ideritiiy of a plu- 
rality of anonymous identifications of the 
S|^nder, corresponding, to the link , jnfprni^tiqn 
'/ cbrftaiihed in a plurality of persoriafized acce^ 
' ' tickete Liiejj by the sender. ^ . . 

40. A ' sysfe^T* realizing email access 
ccfntrol, tenprising: ' ' ' ^ ^ \ 

a communication network to which a plurality. of 
^ userterminals^rfe donnected: and " 

a secure communication service device • for 

connecting comrnunicatiqns b^tween„ ^tbe 
* ' ' sender arid* the receiver on the^cohrounicaiipii 

networK by receiving a personalized access 

ticket containing a sender's identification and a 
' reciperft's icfentificatibn jn cqrresfX)ndence, 

whfbh is presented by a sender who wishes to 
^ ' send merT^iltp a 
\ recipiem as ' an intended destination of 'the 
' femail, and confrolling' accesses 'between the 

' sender and the recipient "by vefifying an access 
- right of the sender with respect to the recipient 
' according to the personalized access f icket. 

41. The systeni of claini 40, wherein the secure com- 
munication service device authenticates the per- 
sonalized access ticket presented by the sender, 
and refuses a delivery of the email when the per- 
sonalized access ticket presented by the sender 
has been altered. 

42. The system of claim 41 , further comprising: 

a secure processing device for issuing the per- 
sonalized access ticket which is signed by a 
secret key of the secure processing device; 
wherein the secure communication service 
device authenticates the personalized access 
ticket by verifying a signature of the secure 
processing device in the personalized access 
ticket using a public key of the secure process- 
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ing device. 

43. The system of claim 40. wherein the secure com- 
munication service device '■ also ' fecei ves the 
sender's identification- presented' by' the' s 
along -with' the ^nsori^ized' accfe4s4icS^fet; ctiecks 
whether the -sender's Identification pr&eW the 
sender is 'contained" in' the persolfiaiiz^'ff^^ 
ticket presented b/the seniiei;, and 

ery- of the' email when thfe send^^^^^ ideHWi&ation io 
presented by the sender k not cbn^i^rtecf irt ¥ife per- 
sonalized access ticket presented by the sehder. 

44. The systefn of c'larrh 4D; 'wherein th^ p^ftbrialized 
access iick^t alsd'contaihs ^ validity tJe'rldd^irtd is 
ing a period for whii^i-^'th'e^^'^^^^ 

ticket is valid, and the secure communication serv- 
ice devic^ 'checl^''tKe' validity period contained in ' ' 
the persorialized^ access tidket' presented by We 
sender and refuses a delivery of frie eitiatl When the so 
personalized access ticket presented by the' sender 
contains the validity period that 'has' already bfen 
expired. * ^ ' ^ • * ' 

45. The system of claim *44. further coinprising: 25 

- ^a -^trusted third party for setting ftie validity 
- period of the perspnaliied access'tickit. ' ^ ''\ 

46. The Systeiti of claim 40, further coniprisingi ' 30 

' a directory service device for mahagirfg an 
^ identification df each registrar^ arid and a dis- 
closed information of each registrant Which has 
a lower secrecy than a personal information, in 35 
a state which is' accessible for search, by ' 
unspecified rhany, and iissuing the personalized 
acceiss ticket to the sender in' response to* 
search conditions specified by the sender, by 
using an identification of a registrant .whose 40 
disclosed information matches the search con- 
ditions as the recipient's identification and the 
sender's identification specified by the serxler 
along with the search conditions. 

45 

47. The system of claim 40, wherein the secure com- 
munication service device registers in advance the 
personalized access ticket containing an identifica- 
tion of a specific user from which a delivery of 
emails to a specific registrant is to be refused as the so 
sender's identification and an identification of the. 
specific registrant as the recipient's identification, 
and refuses a delivery of the email from the sender 
when the personalized access ticket presented by 

the sender is registered therein in advance. ss 

48. The system of claim 47, wherein the secure com- 
munication service device deletes the personalized 



apces§, ticket registered therein upon/equest from 
the ipecif|c>egi.s^ who registered ihe'ipfi^rsonal - 
ized access ^cket . ! . . 

49. -Ihe -s^tgnp qf claiip 40, wherein, the personalized 
access ticket also^contair>s a transfer control flag 
indicating whether or not the sender should be 
authenticated, l^y-the^secufe cornmunication serv- 
ice, and when the transfer control flag contained in 

. ^ fl?e, personalized, access, ticket .Jrjdicates. that the 
JCei*der^||iouk fie sjepure com- 

\^^\Qsj^\ seirvice "de^ce! ^ auttjeptica^ the 
.' sendirs''identificd^b^^ sender and 

.refu^es^a de|w:^ry tbe^^maiLv\(hen-an,ainhentica- 

. , 'tion of tbe; s^^^^ fails.^ , . . 

50. jhe^system pt^ wherein the authentication 
crf.the sender's irte^^^ is. reialized by a chal- 
'lenge/response.proc'klure between the sender and 
the secure .cornniuni,catibii aer^^ 

51. The ^ system .Qf cjaim'^ 4^^^^ further comprising a 
trusted third party for setting the transfer control flag 
of the personalized access ticket 

52. jiie^system of claim 40. .wherein the sender's iden- 
tification and the recipient's identification in the per- 
sonalized access ticket are given by real email 
addresses of the sender and the recipient. 

53. The system of daim 40, further CO . 

, .a . certification authority device fqr issuing an 
. arjonymous, identification of each user- which 
contains at least . one/ fragment of an official 
identif ication of each . user by which each user 
is uniquely identifiable by. the certification 
authority device; 
^ wherein the sender's identrfication , and the 
, ' recipient's identification in the personalized 
. access ticket are given by anonymous identifi- 
cations of the sender and the recipient. 

54. The system of claim 53, wherein the anonymous 
identificatidn of each user is an information contain-. 
ing the at least one fragment of the official identifi- 
cation of each user which is signed by. the 
certification authority device using a secret key of 
the certification authority device. 

55. The system of daim 53. wherein the official identifi- 
cation of each user is a character string uniquely 
assigned to each user by the certification authority 
device and a public key of each user which are 
signed by a secret key of the certification authority 
device. 

56. The system of claim 53. wherein the secure com- 
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municaticrn service device probabilistickilx identifies 
an ideriiity of the sender by recon^ruciing'tHfe^/offi- 
cial identification of the sender wtnile judging Iden- 
tity of a plurality of anonymous identifications of the 
sender corrtaine<j in a plurality^ of p'er^bhat^^ 

access tickets 'used by the sender.^ 

::r 'V ■ ■: ■ on-'i, '.• 

57. The system of clairn 40;'further c6rtipr1srhg(! ^ 

...... c.>.' ■'.''^rrz 'tIc'a : ^ri: 'Xir - u-^v 

' a ceriffr&aifioh %Lftti io 

^ ' anbhynfious ideffiificaSion 'iDf W 

^ ' ctfntairts;^ a^^ of '^'Jiff^^^ 

' • identific^^cff 6f*e&h i^^^ 
' ' is 'tiniqUely iSentifiabie* Sy^ 'xKi^%iriMc^ipn 
authority device ahd a link inferrnation of each is 
anonymous identification by which each anon- 
ymous identificatioh can'be uniq'u^^^ * 
* wherein the 'sender's ifcteriTSf ifcatibn ' ianci thfe 
recfpientt's identification * ih the ' j^ersdnafiz^d 
access ticket are given by a' link irfformiatiori 'of 20 
the anonymous identification of the sender and 
a link'ihformation of the Wionyhioa^ 

• ' ' tion of the r^iplenti ' ' ' ' ' 

58. The system of claim 57, wherein the link Informa- .^5 
tibn of each aiibhyfnoL^ idenfrf ication is an idenft ii^r ' 
uniquely assigned to each anonymous identif ica- 
tibn by tire certiflcatibn'' authority device: ' 

59. The system of claim 57, wherein the secure com- 
munication seivlce deviCe'probSbilisticallf id " * 
an identity of the sender by reconstructing the offi- 
fcfal iderrtification of tHe' sender* while judging Wen- 
tfty of a plurality of anoriymdus idehtrfications of the 
isehder corresponding ta thte link inforrhatibn con- 35 
tained in a plurality of personalized access tickets 
used by the sender. ' ^ " *' '* ' 

60. The system of clalrri 40, wherein the personalized 
access ticket contains a sihgle sender's identifica- 40 
tiori and a single' recipient's identificatiorl in l-to-1 
correspondence. 

61. The system of claim 40, wherein the personalized 
access ticket contains-a single sender's identifica- 45 
tion and a plurality of recipient's identifications in 1- 
to-N correspondence, where N is an integer greater 
than 1. : 

62. The system of claim 61 , wherein one identification so 
among the single sender's identification and the 
plurality of recipient's identifications is a holder 
identification for identifying a holder of the personal- 
ized access ticket while otiier identrf ications among 

the single sender's identification and the plurality of ss 
recipient's identifications are member identifica- 
tions for identifying members of a group to which 
the holder belongs. 



63. The system of daim 62, further conprising: 

. .> " certification . authority device for issuing to 
, .eac^ u^nap jdenWication^^^ and an 

. ^ ,,^^^aHgriM each user Indir 

..^^J'acQ^.:Jji* 

. , ,1 a^;?ec^r| .|JrQC^^ ^jch , P/e- 

, ' -^^{^^j^ l^e^p^^^n^Uteii, access 

" ygci5^^^,Be'c^ liser^vho 
' "'presented both ttie holder iderTtrfication con- 
-4^Sffl P^.9nal»2«^ (^es^ticKejr^ndthe 

'.^.tipnjb,^^^ 

64. The §yste4;p ^plainri .63^ vtrtieriein .tbe.^jC 
authority df^ 

tibn qf.each yser ^an informatipn irKiicating tfiat it 
isjhe.eniafaler ar»d,the. derrtrfic^on of each, user 
^elf which are. signed by a secret key of the. cartif i^ 
ca^bn'aiithorHiy device. " ^v:, . 

65. The sysjteijn of daim, 63,. wherein the , prescribed 
processing includes a generation of a new persbn- 
aJi^e0, access ticket, ^ merging of a plurality ^ot^er- 
sonatiz^d j acces^^ tid<ete. a" splitting of, -.one 
personalized acces^ ticket into a plurality of person- 
alized ^qcess tickets, a changing, of the.feioldgrcfpf 
the persbhahzed access ticket, changirig of a valid- 
ity p^eripd ql the persqr)alized access ticket, ar^cT a 
chsinping.pla tra^ of tiie per:son^l- 
izeiii acQess'ticKM.'- \ . . . , v 

66. The systfcp pf clairri 65.. wherein a special identifi- 
caition ancf a.spepial enabler corresponding to tiie 
special identiffpatibn wtiich are known, to all users 
are defih^ such that the generation of a new per- 
sonalized access ticket and the changing of the 
holder of the personaitzed access ticket can be car- 
ried out by.'the holder of the personalized access 
tickjet by using the spedal Identification and tiie 
special ehabler without using an eriabler of a mem- 
l^er identification. 

67. The system of claim 66, wherein the special identi- 
fication is defined to be capable of being used only 
as the holder identification of the personalized 
access ticket. 

68. The system of claim 65, wherein a special, identifi- 
cation which is known to all users is defined such 
that a read only atti'ibute can be set to the personal- 
ized access ticket by using the special Identifica- 
tion. 

69. The system of claim 40, wherein when tiie access 
right of the sender with respect to the redpient is 
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verified according to tiie personalized access ticket, 
the Secure cqmnriuriication seryice device takes out 
trie recipient's iderrtrfication from ttfe personalized 
■access ticket by using the seixler's; identification 
presented by the sender, ;cqm;rerts the* mail byj usfng 5 
a taken' obt; redpient% jdenWi^^^ 
that cm be^ifrterpre^^ a maifVaW^eK 
^r actually carrying but a hrlall delWery proce^ 
and gives the mail after conversion 16 ' th'e 'iTO^ 
transfer function by attaching the personalize^ ^20 
access ticket/' - • ^ ^' *■ • " e.'* 

70. A borhnuinicatibh' system re^lizlhg^ email acce^ 
conVol, comprising:- ^ ^--^^-''-''^ 

, _ , , , ^ ^ , .., 75 

a -cfertif ic^ftiOT device tor defining an 

official' idehtfficaiion of ^ach user by which 
each user is uriiquely identifiable by the.certifi- . 
" cation authority device/ and' an arioriymous ' 
identification of each user which contains, at 20 
one fragment of the official identificatibn; 

a cbmrnunidatibn hebyork ipn yutiich 'each user 
is ideiTtified by the anonymous identrfication of 
7 '" each user in communications for eniails on the 25 
comrhunication network. ' ' \"\ \ 

71. fhi^'s:/stem of. cliain^^ the ^anonymous 
identificatioh of e^ usei' is a1i ipfbrmatiori contain: 

ing the at feast 'one fragment of the official identifi- 30 
cation of each user which is signed by the 
certification authority device. using _a secret key pf - 
certification "authority device. ' 

72. The system of claim70/wherein the offidaljdentifi: 35 
cation of each user is a. character string uniquely 
assigned to ieach user by the certification.authoriiy 
device arid a public key of each user, which' are 
signed by a secret key of the certification authority 
device. 40 

73. The system of claim 70, further comprising: 

a secure communication service device for 
connecting communications between the 45 
sender and the receiver on the communication 
networK by receiving a personalized , access 
ticket containing a sender's anonymous identi- 
fication and a redpiisnt's anonymous identifica- 
tion in correspondence, which is presented by so 
' a sender who wishes to send an email to a 
redpient so ias to specify the redpient as an 
intended destination of the email, and control- 
ling accesses between the sender and the 
redpient by verifying an access right of the 55 
sender with respect to the recipient according 
to the personalized access ticket.. 



74. The. s^^enri,of claim 73, wherein the secure com- 
niu'^icatibn service device probabilistics^ly^ identifies 
ap/dentjt^^^ by reconstructing the offi- 

_.oaijbentif^^^ while judging iden- 

^ ijiftr of a,p!ural|y.d^^^^ identifications of the 

'se^^e^ B(>t^ in . a plurality . of . personalized 
"access ticketed used b^^^ 

75. Jh^ sy^®n!^:i;9^*^sum 70.;,yj^er^^ 

authority device also deifihes a link inforrnation of 
.ea<^..arj.OTyrnous ad^rrtrfJca|ioO r.by; which ^each 
^arija^ynibu^^^ uniqueljf 4deriti- 

JrgiJ^and^g^^ ifionympui^^e also c?on- 

^tgfihs ^^ttie. link." inforipatioK^, q^^ 
BeiSSic^atipa^^^ .,..^,^..1,^]^'/..^,^.^,^^,, .... 

76. Th^e.syst;em.Qf,^^ link informa- 
tion of each anonymous identification is an identifier 
uniqi4ely assigned, to each anonymous identifica- 
tion by!tihe. certification aut^ 

77. ,Th^, system oldaim 75, further comprising: 

. . a secure communication servicei device^-for 
connecting, communications between - the 
sender and the r^eiver on the communication 
networK by receiving a personalized access 
tid<et containing a link information of a sender's 
anonymous identification and a iink information 
^ , of a recipient's anonymous identification Jn cor- 

- . .resjpondence, which i$ presented by a sender 
who^ wishes to^send an email to a redpient, so 
as to.spjBdfy the recipient^as an intended desti- 

^ , riatibn of the.^mail. and controlling accesses 
^ , between .the serider and the redpient by. verify- 
ing an access rigbt of the serider with respect 

\, to the recipient according to the personalized 

* \* accessticket. . 

7B. The system of claim 77, wfierein the secure com- 
munication service device probabilistically identifies . 
an identity of the sender by reconstructing the offi- 
dal identification of the sender while judging iden- 
tity of a plurality of link informations of anonymous 
identifications of the sender contained in a plurality 
of personalized access tickets used by tiie sender. 

79. A secure communication service device for use in a 
communication system realizing email access con- 
trol . comprising: . 

a computer hardware: and 
a computer software for causing the computer 
hardware to connect communications between 
the sender and the receiver, by receiving a per- 
sonalized access tid^et containing a sender's 
identification and a recipient's identification in 
correspondence, which is presented by / a 
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• sender who wishes to send an email to 'a'recip- 
ierit^ sb as to specify the recipient^ as ^ 

• iritended destination of the emaifrarid ophtrol- 
ling accesses Between the ' ^iide'r lSd %e 
recipient by* Verifying an accl^^Hg^^^ fie 5 
sender with respect to the recii^^iit^c^rtlfng 

to the personallziBd access tickei: - ' - " ^ " 

80. The secure cbrhrriurticatiori service devlce'oif ctaim " 

wherein -the cbmptiterSk^ftiSare oabses tifi^cdrttoD- 
ter hardware' to- authenticate ' the' persbrtaltzed 
- access^tidiet^iresirilted-^^ 
delivery of thTerhaiFwhai the'pefscJhalized'a^ 
ticket presented by the sender has beyR klfei-WdT^^ 75 

81. The secure cbrnniUrijcalion service 5Sev^^ 

wherein the personalized Access "tibk^^S sighed by 
a secret key of a secure t>rocefesinfg d'eyice' which 20 
issued the personalized access ticket, and the corn- 
puter software cauises the -oompoter h^rdwar^^^ 
authenticate the personalized access ticket by veri- 
fying a signature of the iSecu're processing device in 
the personalized acceis^ ticket using a putSlic key of 2S 
the secure processing devic^. ' * " 

82. The' "secure commuhicStioh'dervice^device of claim 

wherein the computer software causes the compu- so 
ter hardware to also rebeive the sender's iSentifica- 
tioh presented by 'the sender along with" the 
personalized ' access"^ ticKet,' chec^' Whether the 
sender's identification -presented -by the^ sender is 
contained in the personalised access 'ticket pre- 3s 
sented by the sendei-; aAicI refuse a delivery of the 
emairwhen the sender's identif icaitibn presented by 
the sender is not contained in the personalized 
access ticket presented by the sender. 

83. The secure communication service device of claim 

79. . * . ^ 

wherein the personalized access ticket also con- 
tains a validity period indicating a period for which 
the personalized access ticket is valid, and the 45 
computer software causes the computer hardware 
to check the validity period contained in the person- 
alized access ticket presented by the sender and 
refuse a delivery of the email when the personal- 
ized access ticket presented by the sender contains so 
the validity period that has already been expired. 

84. The secure communication service device of claim 
79. 

vtrtierein the computer software causes the conpu- ss 
ter hardware to register in advance the personal- 
ized access ticket containing an identification of a 
spedfic user from which a delivery of emails to a 



_spec.rfic 'registrant js Xq i>p refusecj. as the'sender's 
Jdentifjcation^and.an identificatiQri .of tiie spedfic 
registrant as; the . ce^pipienf 5; icjentificatioa at tiie 
secure^TOmrnu^^^^ device, and refuse a 

*:deliyery 6f^tiie,^^rnaij.^^^^ the per- 

spn^alizje^ jjck^t' pjre^seijt^*^^^^ the sender Ts 
n^Tslered^'af til /cpmnriunica^ service 

;Ueylce1^na^^ 'Lil' 't-* ^..^ -^ -r- 

85. The secure communication service device pf daim 
84. " ' 
wherein ,the,^^ spftyyare causes th.e compu- 
lerKardwarl \o delete tfie personalized access 
ticket registered at the secure cdmmuhi^tipri serv- 
ice device ifljonjj^ frpn?. the ^ecif ig reQ'strant 
who Ve^i^^ered Si^jpiersbnafii^ed [bq^^ ^cket 

86. The s^iure cdmiriunicatibn sfe^ device of daim 

yvherdni ' f He^ personalized acpess. tidkeX aJsp con- 
talns'a transfer control flag indicating whether pr not 
the sender should be authenticated by. tb^ secure 
TOrririfiunicatiph service d the trans- 

fer control hag to^ Jp ' the pefs;pnalized 

access tfcket ihdicatl^ that the sender „5hpuld^ 
autiienticated, the conriputei' softwai^e cai^es tiie 
computer hardware to autiienticat^ the seodjr's 
Idertification pre«e^^ by the s^erider ajrid jrefu^a 
delivery of the email When an authentjcation.pf the 
*' sender's Identifica^^ " _ r^-iV- 

87. The ^edure botnmunjcafibh. service' device of rdai^ 
86. • • ' • ^ 
wherein the, computer softyyare causes the compu- 
ter hardviare to realize the.^ authentication of ^^tiie 
sender's identification by a1:rtallenge/res^onse pro- 
cedure between th0 sender arid.the secure comrfiu- 
nitatioh service device. ' 

88. The secure communication service device of daim 
79, 

wherein the sender's identification arid the recipi- 
ent's identification in the personalized access ticket 
are given' by anonymous identifications of the 
sender and the recipient, where an anonymous 
iderrtification of each user contains at least one 
fragment of an official identification of each user by 
which each user is uniquely identifiable by a certifi- 
cation authority, and the conputer software also 
causes the computer hardware to prolaabilistically 
identify an identity of the sender by reconstructing 
the official identification of the sender by judging 
identity of a plurality of anonymous identifications of 
tile sender contained in a plurality of personalized 
access tickets used by the sender. 

89. The secure communication service device of daim 
79. 
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wherein an anonymous identification of each user 
that contains at least one fragment of an official 
tderrtificatioli of each user by *^ich each user is 
uniquely identifiable by a certification aiithority and 
a link information of each anohymdus identification 5 
by which each anonymous identification can be 
uniquelyidentrf ied are defined/'thg JseVyer's & 
-cation aind the' recipient's -Ideiitifie^^ in- ifi'e 'per- 
sonalized' "access ticket arei^jgiven" ty- link 
information of the anonymous'^' id entificatioh-''c^ 70 
sender and a link irtormatioh of the anonyimoU^ 
identification of Ihe -recipient, and the 'corhpiiter 
software' also caiises; the corrpirter hardwaVe-lo 
probabilistically ideritify'ari identity of the serideTby 
reconstructing ' the ' official -identification'' of -"the 75 
sender-by judging fdentity' of ia plffreflity '-of ahoriy- 
mous identifications of the sender corresportdfirig to 
the link information contained in a plurality of per- 
sonalized access tickets^sed by fhe sender.' 



personal informatipn. in a. state wrhlch is acces- 
J^^sible fcir search'^by unspecified miaibyLatid issue 
a ^ per^nalized access /ticket . cbntaining a 
glrid^r'sjderrtificatip^^ recipient's identifi- 
/datibn/i^^^^^^ sender in 

"^rWponse to search cbnditiohs specified by the 
sender, by using an identi^icatioh of a registrant 
whose disclosed information matches the 



90. Tlie secure coniriiunication service devibe of blaim 

79r "'"^ " ^- ■""■""^ ''f: 

wherein' when the access right bfttte sender With 
respect to the reciplisnt is verified according to the 
personalized acciess ticket, the Computer software 
causes the computer hardware' to' take out the 
recipient'^ idlntification 'from the" personalized 
access ticket by using Ihe sender^s ideritrficatibn 
presented by the sender, convert the' mail by W 
a'taken dirt recipient's identification ihto; a format 
that can be interpreted by a'mail tranter function 
for actually carrying out a mail delivery processing, 
and gfve tine mail after conversion to th6;man trans- 
fer function by attaching the personalized access 

ficketj ' ' ' * 

91. A secure processing device for use in a communi- 
cation system realizing email access cphti-ol, com- 
prising: ' 

a computer hardware; arKl 
a computer software for causing the computer 
hardware to receive a request for a personal- 
ized access ticket from a user, and issue a per- 
sonalized access ticket containing a sender's 
identification and a recipient's identification in 
correspondence, which is signed by a secret 
key of the secure processing device. 

92. A directory service device for use in a communica- 
tion system realizing email access control, compris- 
ing: 

a computer hardware; and 
a computer software for causing the computer 
hardware to manage an identification of each 
registrant and a disclosed information of each 
registrant which has a lower secrecy than a 
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93. "^^cei^if^libn ii^^ forujsii Jn a.c^ 

nicatioh " system fWlizmg 'email access control, 
.oornprising; . , . , . . .. . .. 

^ ' a OTmpirtf r harcfti/are: and . , % . 

, ' a computjsr the computer 

.hardware' to issue to each user an off icial iden- 
trf icatioh _of eacti user by. which., each user s 
uniquely idenfefiable by the certification author- 
ity device/ ard an anonymous identification of 

each user which coritains at least one fragment 

of the off idal id.entif ira^ 

94. A certification ^uthprity device for use in a .commu- 
nic^tioln system ..reaiizjng errraiU access, control, 
comprising: , .\ [V,,,/ \ . . -.. \ - . 

a computer hardware i^and ^ 
a computer software for causing the computer 
, hardware, to isjsue to.eagh user an identification 
of each user and an enabler of the identification 
. _qf eacrfi. user, indicating a right to change any 
„ . persbhalized access, ticket that contains tiie 
' identification of eac*}'user,as a holder identrfi- 
. cation, v^ere the ^persnalized . access ticket 
generally contains a sender's idientif icatioaand 
a plurality of recipient's identifications in con-e- 
. spondence, .and one of the sender's identifica- 
_ "tion and the recipient's identifications is a 
holder identification. 

95. A secure processing device for use in a communi- 
cation system realizing email access control, com- 
prising: 

a computer hardware; and 
a computer software for causing the computer 
hardware to receive from a user a request for 
prescribed processing on a personalized 
access ticket containing a sender*s identifica- 
tion and a plurality of recipient's identifications 
in correspondence, where one of the sender's 
identification and the recipient's identifications 
is a holder identification, and execute tiie pre- 
scribed processing on the personalized access 
ticket when tiie user presented both tine holder 
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identiffcation cx)rrtaihed in the "personalized 
access ticket and an enabier'corrfesfjohd to 
the' holder identification which Indic^^ right 
to change the personalized adcesk' ticK^t con- 
taining the' idenWicatibri of 1^ the 5 
holder identificationf;. ' ' ! 1CM 

96. A conTRuter us&ble rnediurri haying con^pihe read- 
al>le program 'co^$;n^ for 
causing' a OTirp fuf;ic^io'n as a se^^^ 10 
nicafion service cievice for usfe in "a cornmiinication 
system realizing email access control, the,comR!.J- 

"ler readabib progVam code rrie^ris fnciudles: ' " ''^ 

first computer readable program code means is 
for causing sai^ conrputer to receive a person- 
alized access tidk^t coTirtainihg^^^end^ iden- 
* Wicalibn and'^a redpie^^^ in 101 

' con'^spdndence/ Which ' is ; presented . by a 
serider who wishes to send a^^^ so 
ient*. so as to^ specify tKis recipient "as an 
intended destination of tHe entail; and,' ^ 
second cohf*iputef reaidablq prc^rarii^^^ 
means for causing said 1c6mpiit6r to cbntrol 
accesses between the sender and the recipient .2$ 
by verifying an accfes$ right of the sShder with 
resf^ect td'the recipient accorifliig fo the 'per- 
sonalized access ticket, so as to cofinect com- 
munications between the sender and the 
receiver on tiie 'corhmiihic^tion n^ork ' 30 

97. The cpnTputer usable medium qfclaim ;96,'the sec- 1 02 
onci Computer readable'^ (irogram ^'c6d^ ' cneans 
causes said conputer to authenticate;th6 j^ersonal- 
ized access ticket prese^rted by th^' s^hdSr, and 35 
refuse a delivery of the email when the personal- 
iz&j acce^ ticket presented by the' sendei; has 
been altered. ' ' *' • ^ , . 

98. Tlie cohrpiiterusabie m'edium of claim 97. wKerein 40 io5 
the personalized access ticket is signed by a secret 
key of a secure processing device which issued the 
personalized access ticket, and the second compu- 
ter readable program code means causes said 
computer to authenticate the personalized access 45 
ticket by verifying a signature of the secure 
processing device in the personalized access ticket 
using a public key of the secure processing device. 



99. The computer usable medium of claim 96, wherein so 
the first computer readable program code means 
causes said computer to also receive the sender's 
identification presented by the sender along with 
the personalized access ticket, and the second 
computer readable program code means causes ss 
said computer to check whether the sender's iden- 
tification presented by tiie sender is contained in 
the personalized access ticket presented by the 



sender and r^fusaa delivery of th@ email vvhen tiie 
. sender's identificatior} p/eserited. by the sender is 
.not contained jathe persgnaliz^access ticket pre- 
Vserted by rfiesjend^^^^ , - . - 

OiT5h§;SQn?Pitf«^cMS^J@^m wherein 
. pe pi^fsqngjjz^jappess ticket:al,SQ contains a valid- 
^it^fpgriodin^j^ting^a peifipdfpr whiQh jhe.personal- 
^fzedaccess tie «eQpnel computer 

,[e^^le^prQgr^ CQd^-^^Vsans caus^^aid <;ompu- 
- ler^che^'the validity f>erK)d cqptajned jn the per- 
.^^scaialifedi/acqj^ t^ by:,the sender 

,an^i^e^^se^d€^^eJy,pf ihe.erjimjhwhenijthe.p^nBon- 
.^ized a9pgsgi1Sj?*«tipr^^5tente^ J>)f the- sgnster. con- 
tains. .tt^jB. yi^il^f^ peFiodi*ihjgi ^^(^^regdyj been 
.-expired, ■- ••.o ;3 . .^o. -v-f : :rci:i^c-':t;;~-i?-' ' 

1. The conputer=,usable medium of claim 96, wherein 
the second coniputer readable program code 
jpeans causes said comp^jter to register in advance 
the personalized access tidket containirig an identi- 
fication, of a specific user from which a delivery of 
.ern$ils'"to.a specif ic regisfrant is to be refused as the 
sendee's identification and an identification of;^the 
specific registirant as the recipient's identif icatioji, at 
the secure communication. "service .device, and 
refuse.^ delivery of the ecnail from the sender when 
the personalized '. Recess ticket presented, by !jhe 
'gender JSjl registered the* secure cornraunicatidp 
service device in advance. .. , . ^ - 

2. "n?e.. ifojjTpjJter, usable . medium of claim 1Q,1. 
wherein the second computer readable program 
code means causes said computer to delete the 
personalized access ticket registered at the secure 
oomrnunicatipn. servicej device upon request from 
tfie specific r^jstrant who registered the personal- 
ized access tidket. 

J.The computer usable medium of claim 96, wherein 
tiie personalized access ticket also contains a 
transfer control flag indicating whether or not the 
sender should be authenticated by the secure com- 
munication service device, and when the. transfer 
control flag contained in the personalized access 
ticket indicates that the sender should be autiienti- 
dated, the second computer readable program 
code means causes said computer to authenticate 
the sender's identification presented by the sender 
and refuse a delivery of the email when an autiien- 
tication of the sender's identification fails. 

104.The computer usable medium of claim 103, 
wherein the second computer readable program 
code means causes said computer to realize the 
authentication of tiie sender's identification by a 
challenge/response procedure between the sender 
and the seojre communication service device. 
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105.The computer usable medium of claim 96, wherein 
the sender's identification and the recipient's identi- 
fication in the personalized access ticket are given 
by anonymous identifications of the sender and the 
recipient, where an anonymous identification of 5 
each user contains at least one fragment of an offi- 
cial identification of each user by which each user is 
uniquely identifiable by a certification authority, and 
the second computer readable program code 
means also causes said computer to probabilistic 10 
cally identify an identity of the sender by recon- 
structing the official identification of the sender by 
judging identity of a plurality of anonymous identifi- 
cations of the sender contained in a plurality of per- 
sonalized access tickets used by the sender. 75 

lOe.The computer usable medium of claim 96, wherein 
an anonymous identification of each user that con- 
tains at least one fragment of an official identifica- 
tion of each user by which each user is uniquely so 
identifiable by a certification authority and a link 
information of each anonymous identification by 
which each anonymous identification can be 
uniquely identified are defined, the sender's identifi- 
cation and the recipient's identification in the per- 25 
sonalized access ticket are given by a link 
information of the anonymous identification of the 
sender and a link information of the anonymous 
identification of the recipient, and the second com- 
puter readable program code means also causes 30 
said computer to probabilistically identify an identity 
of the sender by reconstructing the official identifi- 
cation of the sender by judging identity of a plurality 
off anonymous identifications of the sender corre- 
sponding to the link information contained in a plu- as 
rality of personalized access tickets used by the 
sender. 

107. The computer usable medium of claim 96, wherein 
when the access right of the sender with respect to 40 
the recipient is verified according to the personal- 
ized access ticket, the second computer readable 
program code means causes said computer to take 
out the recipient's identification from the personal- 
ized access ticket by using the sender's identiftca- 45 
tion presented by the sender, convert the mail by 
using a taken out recipiertt's identification into a for- 
mat that can be interpreted by a mail transfer func- 
tion for actually carrying out a mail delivery 
processing, arKi give the mail after conversion to so 
the mail transfer function by attaching the personal- 
ized access ticket. 

108. A connputer usable medium having computer read- 
able program code means ent>odied therein for ss 
causing a computer to function as a secure 
processing device for use in a communication sys- 
tem realizing email access control, the computer 



readable program code means includ^: . : 

. :> .r^fiFst .computer readable program code means 
: :iiJor,causiritg said connputer to: receive a request 
for a personalized access ticket from a user; 
and 

^ seqqrid computer , readable* program code 
me^^s^f9^',;caijsin^ ta issue the 

personalized -2, access, ; ticket containing a 
/• srjc aBda^FSpipient^ identifi- 

ed o5?Ji^>?^^"r^E?§PO!\^^"?®v.yMc^^^^ ^ign^ by a 
-^.^E^:ke)f{Of,the^^_sec^^ device. 

1 09. A^raTPHter^igab|e;B^ havjng:qQ^uter read- 
ajple .prQgrpm.^cpde jT\eansven:feqdieid:,th,erein for 
^causing ajQoniputer to functipn^as a di.pe^itory . serv- 
ice deyicerfor4^iseM^ cpipmuriication^system real- 
ising enriail access contrpJ, : the jconiputeF. readable 

• program x^e-rneansindudesir . 

first computer readable program code means 
for causing said computer to manage an identi- 
. . fication of each registrant and a disclosed infor-. 

rrfcaton of each registrant which has a lower 
_ secrecy.than a persona! informatiort, in a state 
-which is accessible for search by unspecified 
. many, and * - r ; - 5 
second ..conriputer*. readable program, code 
means ifor causing said computer to issue a 
, personalized access vtid^et containing a 
- sender's identification and a recipient's identifi- 
, cationr in correspondence, .to the sender in 
responseto search cpnditior^. specified by the 
. . sender, by using an,identification of a registrant 
^ whose disclosed information matches the 
search -conditions as the recipient's identif ica- 
^ tion and the sender's identification specified by 
the sender along with the search conditions. 

110. A computer usable medium having conputer read- 
able program code means embodied therein for 
causing a computer to function as a certification 
authority device for use in a communication system 
realizing email access control, the computer reada- 
ble program code means includes: 

first computer readable program rcode means 
for causing said computer to issue to each user 
an official identification of each user by which 
each user is uniquely identifiable by the certifi- 
cation authority device; and 
second connputer readable program code 
means for causing said computer to issue to 
each user an anonymous identification of each 
user which contains at least one fragment of 
the official identification. 

111. A computer usable medium having computer read- 
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able progiam code means embcxJied therein for 
causing a computer to function as a certrfication 
authority device for use in a comrhunlcation'system 
realizing email access control, the cbrHpiiter reada- 
ble program code meansindudesr-^'i^^ 5 

first computier readiabie program code hieans 
. for causing siidbdmputer to issue to ektsh user 

an Ideritificafibnbf ^ach' userf^a^td- 
' secbh'd ^^&siputer reaaabf§" program=^ c^ io 
means 'fof^^ausingsaid^coir^^ to 
each^ us^r^an ehablef of of 
each user indicating a right to change any per- 
sdhairzed'accl^^tickef Mt jco • 
• ficaitidn'^df eadfi us'dr as'a hbfl^^ is 
where'frie 'persnalfied a<x^6ss'tfcket%'er)tefan)i^ 
' contains a sender's idenfificat^^ 
of recipierit's fdentifidafions iH-cofrfespibhdencel 
and one of the sei^der's identrfic»tioh and tfie 
recipient's identifications is a holder identrfica- 20 
tion. - ' ■ *• " .-i^* 

1 1 2:A-cortiputer<'usable mediurri haxnng cornputer riead- 
abli^^proigFam *ccxie 'means* ernbodied therefh for 
causing a computer to' function- as a secure 25 
prdcessin'g device for use in' a Communication 'sys- 
tem realizing email access control, the corhputer 
readaUfe'prciigram code means" includes? • 

• ^' •''^ '-"^ -v 

first* <»mputer readable prbgrani-c means 30 
for causing "said- cbnputer fd'Veceive' f torn a 

^: user a request fof'prescribed processing on a 
personalized' access "^ticket -confeihing a 
Behder's"identificatioh and a plurality of recipi- 
r*/^ ent's-identificatiore^m coit^onderk:e. where 35 

' one of the sender's'tdentificatioh and^the recip- 
. -ient's identificati6n& isT a holder identification; 
•rand " ■• " ■ ■ ■'•'•^ 

second corrputer readable program code 

* means for causing said computer to execute 40 
the prescribed processing on the personalized 
access ticket when the user presented tx>th the 
holder identification contained in the personal- 

- r ized access ticket and an enabler correspond- ' 
ing to the holder identification which indicates a 45 
right to change the personalized access ticket 
containing the identification of the user as the 
. holder identification. 
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